Personal data protection policy
This Policy determines the conditions and the order under which the natural persons, whose personal data are processed by Insurance Company Lev Ins AD (Lev Ins, the Company, We), may exercise their rights in accordance with the legislation for protection of personal data.
PART 1: GENERAL PROVISIONS
1.1. Lev Ins processes, stores and protects personal data collected in the course of its activities, transparently, lawfully and in accordance with the purposes for which the data are collected.
1.2. This policy also applies to the way in which the Company's employees process personal data for the purposes of distribution of insurance products, conclusion of insurance policies, fulfillment of obligations under insurance contracts and settlement of claims under insurance contracts as part of their employment obligations. Employees are required to observe the following principles when processing personal data:
1.2.1 Personal data are processed lawfully and in good faith.
1.2.2 Personal data are collected for specific, well-defined and legitimate purposes or purposes of a similar nature and are not further processed in a way incompatible with those purposes.
1.2.3 The personal data that are collected and processed in the management of human resources shall be relevant, related to and not exceeding the purposes for which they are processed.
1.2.4. Personal data are accurate and, if necessary, updated.
1.2.5 Personal data shall be erased or corrected when they are found to be inaccurate or inconsistent with the purposes for which they are processed.
1.2.6 Personal data shall be kept in a form which permits identification of the natural persons concerned for no longer than is necessary for the purposes for which the data are processed.
1.3. Employees who process personal data receive initial and periodic confidentiality training and become familiar with applicable law.
1.4. All personal data and other information by which the natural person can be identified shall be collected and processed only if required and to the extent necessary for the performance of the employee’s professional duties, on condition that such activities are carried out within the scope of the powers, provided to the employee and in accordance with the legal requirements for personal data protection.
PART 2: DEFINITIONS
The definitions stated below have the following meanings:
"Personal data" means any information relating to an identified natural person or a natural person, which can be identified directly or indirectly, in particular by means of an identifier such as name, identification number, location data, an online identifier or one or more features, specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that natural person;
„Profiling“ means any form of automated processing of personal data, consisting of the use of personal data to assess certain personal aspects relating to a natural person, and in particular to analyze or forecast aspects relating to the performance of professional duties of that natural person, his economic situation, health, personal preferences, interests, reliability, behaviour, location or movement
„’Data subject“ means a natural person who can be identified, directly or indirectly, in particular by means of an identifier such as name, identification number, location data, an online identifier or one or more features specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that natural person;
„Processing” means any operation or set of operations carried out with personal data or a set of personal data by automatic or other means such as collecting, recording, organising, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making the data available, arranging or combining, restricting or destroying;
PART 3: RIGHTS OF PERSONAL DATA SUBJECTS
Data subjects have the following rights regarding their personal data:
- Right of access;
- Right to rectification;
- Right to data portability;
- Right to be erased (right to be forgotten);
- Right to request restriction of processing;
- Right to object to the processing of personal data;
- Right of the data subject not to be subject to a decision based solely on automated processing, including profiling.
Right of access
2.1. On request Lev Ins provides to a personal data subject the following information:
2.1.1 confirmation whether Lev Ins processes personal data of the person or not;
2.1.2 a copy of the personal data of the person, which are processed by Lev Ins, in case this does not infringe on other people's rights and legitimate interests, and
2.1.3 explanation of the data processed.
2.2. The explanation under Art. 2.1.3 includes the following information regarding the personal data processed by Lev Ins:
2.2.1 the purposes of the processing;
2.2.2 the relevant categories of personal data;
2.2.3 the recipients or categories of recipients to whom the personal data are or will be disclosed, in particular recipients in third countries or international organisations;
2.2.4 where possible, the intended period for which the personal data will be stored and, if this is not possible, the criteria used to determine this period;
2.2.5 the existence of the right to request the rectification or erasure of personal data or restriction of the processing of personal data relating to the data subject or to object to such processing;
2.2.6 the right to appeal to a supervisory authority;
2.2.7 where personal data are not collected by the data subject, any available information on their source;
2.2.8 the existence of automated decision-making, including profiling, and information on the logic used, as well as the significance and anticipated consequences of this processing for the data subject;
2.2.9 when personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards in connection with the transfer.
2.3. The explanation of the data processed includes the information that Lev Ins provides to the data subjects through a privacy notice.
3.1. Upon request from the personal data subject, Lev Ins may provide a copy of the personal data that are being processed.
3.2. When providing a copy of personal data, Lev Ins shall not disclose the following categories of data:
3.2.1 personal data of third parties, unless they have expressly agreed to this;
3.2.2 data that constitutes a trade secret, intellectual property or confidential information;
3.2.3 other information that is protected under applicable law.
3.3. Granting access to personal data subjects may not adversely affect the rights and freedoms of third parties or lead to a breach of a legal obligation of Lev Ins.
4.1. Where requests for access are manifestly unfounded or excessive, in particular because of their repetitive nature, Lev Ins may charge a reasonable fee based on the administrative costs of providing the information.
4.2. Lev Ins assesses on a case-by-case basis whether a request is manifestly unfounded or excessive.
4.3 In the event that a request for access to personal data is manifestly unfounded, Lev Ins may refuse access, justifying its refusal and informing the data subject of his or her right to lodge a complaint with the Data Protection Commission.
Right of rectification
5.1. Data subjects may request that their personal data processed by Lev Ins be rectified in case the latter are inaccurate or incomplete.
5.2. Upon satisfaction of a request for rectification of personal data, Lev Ins notifies the other recipients to whom the data have been disclosed (e.g. public authorities, service providers) so that they can reflect the changes.
Right to be erased ("right to be forgotten")
6.1. Upon request, Lev Ins is obliged to erase personal data if any of the following reasons exist:
6.1.1 personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
6.1.2 the data subject withdraws his consent on which the data processing is based and there is no other legal basis for the processing;
6.1.3 the data subject objects to the processing and there are no legitimate grounds for the processing to take precedence;
6.1.4 the data subject objects to the processing of personal data for the purposes of direct marketing.
6.1.5 personal data have been processed unlawfully;
6.1.6 data must be erased in order to comply with a legal obligation of Lev Ins;
6.1.7 personal data have been collected in connection with the provision of information society services to children within the meaning of Article 8 (1) of Regulation (EU) 2016/679.
6.2 Lev Ins is not obliged to erase personal data insofar as the processing is necessary:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation of Lev Ins, which requires processing;
- for reasons of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) and Article 9 (3) of Regulation (EU) 2016/679;
- for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1) of Regulation (EU) 2016/679, insofar as the right of erasure is likely to make it impossible or seriously impede the processing purposes; or
- for establishment, exercise or defence of legal claims.
Right to restriction of processing
7.1. The data subject has the right to request a restriction on processing when any of the following grounds exist:
7.1.1 the accuracy of personal data is contested by the data subject for a period that allows the controller to verify the accuracy of personal data;
7.1.2 the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
7.1.3 the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
7.1.4 The data subject has objected to the processing on the basis of the legitimate interest of Lev Ins and an investigation is underway as to whether the legal grounds of the controller take precedence over the interests of the data subject.
7.2. Lev Ins may process personal data, the processing of which is restricted, only for the following purposes:
- for data storage
- with the consent of the data subject;
- for establishment, exercise or defence of legal claims;;
- for protection of the rights of another natural person; or
- due to important grounds of public interest.
7.3. When the data subject has requested a restriction of the processing and any of the grounds under Art. 7.1. above exists, Lev Ins shall inform him before lifting of the processing restriction.
Right to data portability
8.1. The data subject has the right to receive the personal data concerning him and which he has provided to Lev Ins, in a structured, widely used and machine-readable format.
8.2. Upon request, this data may be transferred to another controller designated by the data subject where technically feasible.
8.3. The data subject may exercise the right of portability in the following cases:
- the processing is based on the consent of the personal data subject;
- the processing is based on a contractual obligation;
- the processing is carried out in an automated manner.
8.4. The right of portability shall not adversely affect the rights and freedoms of others.
Right to object
9.1. The data subject has the right to object to the processing of his personal data by Lev Ins if the data are processed on one of the following grounds:
9.1.1 the processing is necessary for the performance of a task in the public interest or in the exercise of official powers conferred on the controller;
9.1.2 the processing is necessary for purposes related to the legitimate interests of Lev Ins or a third party;
9.1.3 data processing includes profiling.
9.2. The controller shall terminate the processing of personal data, unless the controller proves that there are compelling legal grounds for its continuation, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Right to object to personal data for direct marketing purposes
10.1. When processing personal data for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data for this purpose, including with regard to profiling related to direct marketing.
10.2. When the data subject objects to processing for direct marketing purposes, the processing of personal data for these purposes shall be terminated.
Right to human intervention in automated decision-making
11.1. In cases where Lev Ins makes automated individual decisions, including or excluding profiling, which have legal consequences for natural persons or significantly affect them in a similar way, these natural persons may request a review of the decision with human intervention, as well as express their point of view.
11.2. Lev Ins provides the natural persons subject to automated decision-making with essential information about the logic used, as well as the significance and anticipated consequences of this processing for the person.
PART 4: PROCEDURE FOR EXERCISING THE RIGHTS OF PERSONAL DATA SUBJECTS
12.1. The personal data subjects may exercise the rights under these Rules by submitting a request to exercise the respective right.
12.2. A request for the exercise of the rights of personal data subjects may be submitted as follows:
- Electronically to the following email address firstname.lastname@example.org;
- On the spot in the office of Lev Ins;
- By mail to the address of Lev Ins Head Office: Sofia, 67A Simeonovsko Shose Blvd.
12.3. The request for the exercise of personal data rights should contain the following information:
- Identification of the person - name and PIN / policy number / client number;
- Contacts for feedback - address, phone, e-mail;
- Request - description of the request.
13.1 Lev Ins provides information on the actions taken in connection with a request for the exercise of the rights of the subjects, within one month from the receipt of the request.
13.2. If necessary, this period may be extended by further two months, taking into account the complexity and number of requests from a particular person. Lev Ins shall inform the person of any such extension within one month of receiving the request, indicating the reasons for the delay.
13.3. Lev Ins is not obliged to respond to a request in case it is unable to identify the data subject.
13.4. Lev Ins may request the provision of additional information necessary to verify the identity of the data subject when there are legitimate concerns about the identity of the requesting natural person.
13.5. Where the request is submitted by electronic means, the information shall, if possible, be provided by electronic means, unless the data subject has requested otherwise.