Privacy Policy

This Policy determines the conditions and the order under which the natural persons, whose personal data are processed by Insurance Company Lev Ins AD (Lev Ins, the Company, We), may exercise their rights in accordance with the legislation for protection of personal data.

PART 1: GENERAL PROVISIONS

1.1. LEV INS processes, stores, and protects personal data collected in the course of its activities in a transparent and lawful manner and in accordance with the purposes for which the data are collected.

1.2. This policy also applies to the way in which the Company's employees process personal data for the purposes of distribution of insurance products, conclusion of insurance policies, fulfillment of obligations under insurance contracts and settlement of claims under insurance contracts as part of their employment obligations. Employees are required to observe the following principles when processing personal data:

    1.2.1 Personal data are processed lawfully and in good faith.

    1.2.2 Personal data shall be collected for specific, explicit, and legitimate purposes or purposes of a similar nature and shall not be further processed in a manner incompatible with those purposes.

    1.2.3 Personal data collected and processed in the course of human resources management shall be relevant, related to, and limited to what is necessary for the purposes for which they are processed.

    1.2.4. Personal data shall be accurate and, where necessary, kept up to date.

    1.2.5 Personal data shall be erased or rectified without undue delay where they are found to be inaccurate or inconsistent with the purposes for which they are processed.

    1.2.6 Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.

1.3. Employees who process personal data receive initial and periodic confidentiality training and are familiar with applicable legislation.

1.4. All personal data and any other information by which a natural person can be identified shall be collected and processed only where necessary and to the extent required for the performance of the employee’s professional duties, provided that such activities are carried out within the scope of the employee’s authority and in compliance with applicable personal data protection legislation.

PART 2: DEFINITIONS

The terms below shall have the following meanings:

“Personal data” means any information relating to an identified or identifiable natural person, who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, intellectual, economic, cultural, or social identity of that natural person;

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements;

“Data subject” means an identified or identifiable natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to that person’s identity.;

“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or destruction;

PART 3: RIGHTS OF PERSONAL DATA SUBJECTS

Data subjects have the following rights regarding their personal data:

  1. Right of access;
  2. Right to rectification;
  3. Right to data portability;
  4. Right to be erased (right to be forgotten);
  5. Right to request restriction of processing;
  6. Right to object to the processing of personal data;
  7. Right of the data subject not to be subject to a decision based solely on automated processing, including profiling.

Right of access

2.1. On request LEV INS provides to a personal data subject the following information:

    2.1.1 confirmation whether LEV INS processes personal data of the person or not;

    2.1.2 a copy of the personal data of the person, which are processed by Lev Ins, in case this does not infringe on other people's rights and legitimate interests, and

    2.1.3 explanation of the data processed.

2.2. The explanation under Art. 2.1.3 includes the following information regarding the personal data processed by Lev Ins:

    2.2.1 the purposes of the processing;

    2.2.2 the relevant categories of personal data;

    2.2.3 the recipients or categories of recipients to whom the personal data are or will be disclosed, in particular recipients in third countries or international organisations;

    2.2.4 where possible, the intended period for which the personal data will be stored and, if this is not possible, the criteria used to determine this period;

    2.2.5 the existence of the right to request the rectification or erasure of personal data or restriction of the processing of personal data relating to the data subject or to object to such processing;

    2.2.6 the right to appeal to a supervisory authority;

    2.2.7 where personal data are not collected by the data subject, any available information on their source;

    2.2.8 the existence of automated decision-making, including profiling, and information on the logic used, as well as the significance and anticipated consequences of this processing for the data subject;

    2.2.9 when personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards in connection with the transfer.

2.3. The explanation of the data processed includes the information that Lev Ins provides to the data subjects through a privacy notice.

3.1. Upon request from the personal data subject, Lev Ins may provide a copy of the personal data that are being processed.

3.2. When providing a copy of personal data, Lev Ins shall not disclose the following categories of data:

3.2.1 personal data of third parties, unless they have expressly agreed to this;

3.2.2 data that constitutes a trade secret, intellectual property or confidential information;

3.2.3 other information that is protected under applicable law.

3.3. Granting access to personal data subjects may not adversely affect the rights and freedoms of third parties or lead to a breach of a legal obligation of Lev Ins.

4.1. Where requests for access are manifestly unfounded or excessive, in particular because of their repetitive nature, Lev Ins may charge a reasonable fee based on the administrative costs of providing the information.

4.2. Lev Ins assesses on a case-by-case basis whether a request is manifestly unfounded or excessive.

4.3 In the event that a request for access to personal data is manifestly unfounded, Lev Ins may refuse access, justifying its refusal and informing the data subject of his or her right to lodge a complaint with the Data Protection Commission.

Right of rectification

5.1. Data subjects may request that their personal data processed by Lev Ins be rectified in case the latter are inaccurate or incomplete.

5.2. Upon satisfaction of a request for rectification of personal data, Lev Ins notifies the other recipients to whom the data have been disclosed (e.g. public authorities, service providers) so that they can reflect the changes.

Right to be erased ("right to be forgotten")

6.1. Upon request, Lev Ins is obliged to erase personal data if any of the following reasons exist:

    6.1.1 personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

    6.1.2 the data subject withdraws his consent on which the data processing is based and there is no other legal basis for the processing;

    6.1.3 the data subject objects to the processing and there are no legitimate grounds for the processing to take precedence;

    6.1.4 the data subject objects to the processing of personal data for the purposes of direct marketing.

    6.1.5 personal data have been processed unlawfully;

    6.1.6 data must be erased in order to comply with a legal obligation of Lev Ins;

    6.1.7 personal data have been collected in connection with the provision of information society services to children within the meaning of Article 8 (1) of Regulation (EU) 2016/679.

6.2 Lev Ins is not obliged to erase personal data insofar as the processing is necessary:

  • to exercise the right to freedom of expression and the right to information;
  • to comply with a legal obligation of Lev Ins, which requires processing;
  • for reasons of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) and Article 9 (3) of Regulation (EU) 2016/679;
  • for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1) of Regulation (EU) 2016/679, insofar as the right of erasure is likely to make it impossible or seriously impede the processing purposes; or
  • for establishment, exercise or defence of legal claims.

Right to restriction of processing

7.1. The data subject has the right to request a restriction on processing when any of the following grounds exist:

    7.1.1 the accuracy of personal data is contested by the data subject for a period that allows the controller to verify the accuracy of personal data;

    7.1.2 the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

    7.1.3 the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

    7.1.4 The data subject has objected to the processing on the basis of the legitimate interest of Lev Ins and an investigation is underway as to whether the legal grounds of the controller take precedence over the interests of the data subject.

7.2. Lev Ins may process personal data, the processing of which is restricted, only for the following purposes:

  1. for data storage
  2. with the consent of the data subject;
  3. for establishment, exercise or defence of legal claims;;
  4. for protection of the rights of another natural person; or
  5. due to important grounds of public interest.

7.3. When the data subject has requested a restriction of the processing and any of the grounds under Art. 7.1. above exists, Lev Ins shall inform him before lifting of the processing restriction.

Right to data portability

8.1. The data subject has the right to receive the personal data concerning him and which he has provided to Lev Ins, in a structured, widely used and machine-readable format.

8.2. Upon request, this data may be transferred to another controller designated by the data subject where technically feasible.

8.3. The data subject may exercise the right of portability in the following cases:

  1. the processing is based on the consent of the personal data subject;
  2. the processing is based on a contractual obligation;
  3. the processing is carried out in an automated manner.

8.4. The right of portability shall not adversely affect the rights and freedoms of others.

Right to object

9.1. The data subject has the right to object to the processing of his personal data by Lev Ins if the data are processed on one of the following grounds:

    9.1.1 the processing is necessary for the performance of a task in the public interest or in the exercise of official powers conferred on the controller;

    9.1.2 the processing is necessary for purposes related to the legitimate interests of Lev Ins or a third party;

    9.1.3 data processing includes profiling.

9.2. The controller shall terminate the processing of personal data, unless the controller proves that there are compelling legal grounds for its continuation, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Right to object to personal data for direct marketing purposes

10.1. When processing personal data for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data for this purpose, including with regard to profiling related to direct marketing.

10.2. When the data subject objects to processing for direct marketing purposes, the processing of personal data for these purposes shall be terminated.

Right to human intervention in automated decision-making

11.1. In cases where Lev Ins makes automated individual decisions, including or excluding profiling, which have legal consequences for natural persons or significantly affect them in a similar way, these natural persons may request a review of the decision with human intervention, as well as express their point of view.

11.2. Lev Ins provides the natural persons subject to automated decision-making with essential information about the logic used, as well as the significance and anticipated consequences of this processing for the person.

PART 4: PROCEDURE FOR EXERCISING THE RIGHTS OF PERSONAL DATA SUBJECTS

12.1. The personal data subjects may exercise the rights under these Rules by submitting a request to exercise the respective right.

12.2. A request for the exercise of the rights of personal data subjects may be submitted as follows:

  1. Electronically to the following email address ;
  2. On the spot in the office of Lev Ins;
  3. By mail to the address of Lev Ins Head Office: Sofia, 67A Simeonovsko Shose Blvd.

12.3. The request for the exercise of personal data rights should contain the following information:

  1. Identification of the person - name and PIN / policy number / client number;
  2. Contacts for feedback - address, phone, e-mail;
  3. Request - description of the request.

13.1 Lev Ins provides information on the actions taken in connection with a request for the exercise of the rights of the subjects, within one month from the receipt of the request.

13.2. If necessary, this period may be extended by further two months, taking into account the complexity and number of requests from a particular person. Lev Ins shall inform the person of any such extension within one month of receiving the request, indicating the reasons for the delay.

13.3. Lev Ins is not obliged to respond to a request in case it is unable to identify the data subject.

13.4. Lev Ins may request the provision of additional information necessary to verify the identity of the data subject when there are legitimate concerns about the identity of the requesting natural person.

13.5. Where the request is submitted by electronic means, the information shall, if possible, be provided by electronic means, unless the data subject has requested otherwise.