Protection of personal data

According to the Regulation of the European Parliament and the EU Council No. 2016/679 from 27. April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter „GDPR“).

The controller processing personal data is NOVIS Insurance Company, NOVIS Versicherungsgesellschaft, NOVIS Compagnia di Assicurazioni, NOVIS Poisťovňa a.s., Námestie Ľudovíta Štúra 2, 811 02 Bratislava (hereinafter „Controller“). Company Identification number: 47251301, VAT registration number: 7120001350, registered in the Business Register of the District Court Bratislava I, Section: Sa, file number: 5851 / B.

The Controller has a designated data protection officer. You can contact this person by post at the address of the registered office of the Controller or via email at dataprotection@novis.eu. Data subjects may contact the data protection officer with any questions concerning the processing of their personal data and the exercise of their rights under GDPR. The data protection officer is bound by the obligation of secrecy and/or confidentiality in accordance with Union and/or Member State law.

The Controller processes the personal data of its clients in order to provide services connected with the conclusion and administration of insurance contracts, underwriting or claims management. Specific purposes of processing and the legal basis for processing include:

Purpose – Legal basis

1.  performance of the insurance activity related to the data subject - processing is necessary for compliance with a legal obligation according to the Act on Insurance
2. performance of activities related to supervisory and other authorities - Act on Insurance
3. registry administration (post office) - Archives and Registry Act
4. accounting and financial statements - Act on Accounting
5. management of the joint-stock company agenda - Commercial Code
6. management of complaints - Act on Insurance litigation - legitimate interest in the protection of property and rights of the Controller
7. addressing requests of data subjects - Regulation of the European Parliament and the Council of the EU no. 2016/679
8. prevention of the use of the financial system for the purposes of money laundering or terrorist financing - Act on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing
9. whistle-blowing - Act on Certain Measures Related to Reporting The Anti-Social Activities
10. automatic exchange of information about financial accounts for the purposes of tax administration (FATCA/CRS)
11. archive management - Archives and Registry Act
12. marketing - consent of the data subject
13. providing clients data to the insurance intermediaries for the purposes of meeting their legal obligations - legitimate interest

Depending on the activities, statutory and contractual obligations, the Controller provides personal data to the following categories of recipients: the Controller´s subsidiaries, insurance intermediaries, contracted doctors of the Controller, reinsurers, IT suppliers, suppliers of printing and postal services, marketing agencies, legal counsels, notaries, executors, fraud detection agencies, delivery companies, banks, debt collection agencies.

The Controller processes personal data for the time necessary to fulfill the purpose of its processing. Usually, for as long as there is a legal relationship and five years after its termination or otherwise if the legislation or contractual relationships state a different retention period for the certain purpose of the processing. 

A data subject is a natural person whose personal data are being processed. Data subjects have the right to:

• access personal data,
• demand correcting, erasing or restricting the processing of personal data
• object to the processing of personal data
• transfer personal data
• withdraw the consent for the processing of personal data (where processing is based on the consent of the data subject)

Access to personal data

The data subject shall have the right to obtain from the Controller a confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: purposes of the processing, categories of personal data concerned, the nature of the recipients to whom personal data were or will be disclosed, the envisaged period of retention of personal data,  the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority and where personal data have not been obtained from the data subject, any available information as to their source.

Rectification of personal data

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have the incomplete personal data completed, including by means of providing a supplementary statement.

Erasure of personal data („right to be forgotten“)

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: 

• personal data are no longer necessary in relation to purposes for which they were collected or otherwise processed, 
• the data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing, 
• the data subject objects to the processing based on the necessity for the performance of a task carried out for the public interest or for the exercise of public power, or for the purposes of the legitimate interest pursued by the Controller and there are no overriding legitimate grounds for the processing, or where personal data of the data subject are processed for direct marketing purposes on the basis of the legitimate interest pursued by the Controller, the data subject objects to the processing pursuant to Article 21 (2) of GDPR, 
• personal data have been unlawfully processed, 
• personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject, 
• personal data have been collected in relation to the offer of information society services referred to Article 8 (1) of GDPR - child‘s consent. 

Restriction of processing personal data

The data subject shall have the right to request from the Controller restriction of processing where one of the following applies: 

• the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data, 
• the processing is unlawful, and the data subject opposes the erasure of personal data and requests the restriction of their use instead, 
• the Controller no longer needs the personal data for processing, but they are required by the data subject to for the establishment, exercise, or defense of legal claims, 
• the data subject has objected to processing based on the necessity for the performance of a task carried out for the public interest or for the exercise of public power, or for the purposes of the legitimate interest pursued by the Controller pending the verification whether the legitimate grounds on the part of the Controller override the legitimate grounds of the data subject. 

Where processing has been restricted, such personal data shall with the exception of retention, only be processed with the consent of the data subject, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The data subject, who has obtained restriction of data processing shall be informed by the Controller before the restriction of processing is lifted. 

Objecting to processing of personal data
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data, which is based on the necessity for the performance of a task carried out for the public interest or for the exercise of public power, or for purposes of legitimate interests pursued by the Controller or a third party with the exception of cases where such interests prevail over the interests or fundamental rights and freedoms of a data subject that require the protection of personal data, especially when the data subject is a child. The Controller mustn´t further process personal data unless it demonstrates compelling legitimate grounds necessary for the processing that outweigh the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. When personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for purposes of such marketing, which includes profiling to the extent that it is related to such direct marketing. 

Transfer of personal data
The data subject shall have the right to obtain personal data related to him or her and which he or she has provided to the Controller in a structured, commonly used and machine-readable format and shall have the right to transfer such data to another controller without hindrance from the Controller to whom such personal data have been provided, if the processing is based on consent or contract and if the processing is carried out by automated means. A data subject shall, in exercising his or her right on data portability, have the right to transfer personal data directly from one controller to another, where technically feasible. 

Withdrawal of consent
Where the processing is based on the consent of the data subject, the data subject shall have the right to withdraw his or her consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal of consent is effective as soon as the Controller is notified. 

The data subject shall have the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data relating to him or her infringes the GDPR. The supervisory authority for the Controller is the Office for Personal Data Protection of the Slovak Republic. The supervisory authority that has received the complaint shall inform the complainant of the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of GDPR. 

Regardless of the purpose of personal data processing, the provision by the data subject for the Controller is always voluntary. The Controller needs to process personal data to fulfill its statutory and contractual obligations. Failure to provide personal data may, therefore, lead to the inability to enter a contractual relationship with the Controller.