In Colonnade Insurance S.A., branch office, we fully respect the privacy of the users of our website, the software applications made available by us, our social media (collectively referred to as our electronic communication services), but in the first place of those who are interested in our insurance products, the policyholders, the insured and other individuals who provide their personal data to us as part of our activities. Therefore we guarantee to you wide protection of your individual rights in connection with your personal data processing on our part, in full compliance with the generally binding laws and regulations.
This Privacy Notice contains a clear and understandable summary of information regarding the manner in which we process your personal data. We highly appreciate that you share your personal data with us and we pay attention to ensuring maximum security and transparency for you.
Should you not understand anything in this Privacy Notice, do not hesitate to contact us via the contacts specified below. We will be happy to explain everything to you.
Colonnade Insurance S.A., branch office
Na Pankráci 1683/127
140 00 Prague 4
Tel: + 420 234 108 311
Who is the controller of your personal data and who can you contact?
A controller of personal data is an entity that determines the purposes for which personal data are processed, either on its own or with other entities, and in what manner the data are to be processed.
We, i.e. Colonnade Insurance S.A., branch office, with its registered office at Na Pankráci 1683/127,
140 00 Prague 4, identification no. 044 85 297, registered in the Commercial Register administered by the Metropolitan Court in Prague under file no. A 77229., are the controller of your personal data.
Should you have any questions regarding the use of your personal data by us, or any requests whatsoever, you can contact us by email at firstname.lastname@example.org or at our mailing address Colonnade Insurance S.A., organizační složka, Na Pankráci 1683/127, Praha 4, 140 00.
You can also contact our Data Protection Officer. The Data Protection Officer is a person authorised by us to supervise the data processing and ensure that the data are processed in a due manner in compliance with the laws and regulations. Mr. Boris Kostov, is our data protection officer and you can contact him by e-mail at email@example.com.
What personal data do we collect?
In the course of our activities, we collect and subsequently process only such personal data that are necessary for us to make a valid insurance contract with you and subsequently manage the data in a due manner, in compliance with our statutory obligations, provide you with high-quality customer service and co-operate with you as our business partner, while protecting your legitimate interests. Below you will find the particular purposes, for which we process such data. The nature of your personal data we process depends on the situation in which they are processed i.e. on the purpose for which we have obtained such data either from you or otherwise. That means that we will process different personal data if we conduct negotiations with the intention to make an insurance contract than if you report an insured event. It will also depend on whether you are in the position of a policyholder, an insured, a beneficiary, a business partner, or another person related to your business or a contact persons.
Sometimes we process personal data of persons who do not have a direct contractual relationship with us. Typically, there are situations where the insured or the beneficiary is different from the policyholder or where the processing of such personal data is necessary for the payment of the indemnity or to meet another statutory obligation.
Depending on your relationship with us your personal data that we process may include, without limitation, the following information:
- General identification and contact information
Your name, surname (including former ones), permanent address, correspondence address, email address and telephone number, sex, title, marital status, family status, date and place of birth, personal identification number, identification number (IČO), registered office address, access data to our systems and applications, education, physical fitness, registration information (such as regarding driving vehicles), photographs, employment history, skills and experience, professional authorisations and memberships, signature, date and cause of death.
- Identification numbers issued by public authorities or entities
Social security number or health insurance number, passport number, tax identification number, military identification number or information regarding your driving licence, ID or other documents etc.
- Financial information and information about accounts
Payment card numbers, bank account numbers and information regarding your bank accounts, credit history and solvency, assets, income and other financial information etc.
- Information about products and services provided to you and our mutual co-operation
This is information provided by you in the course of making an insurance contract or another type of contract and in the related forms and questionnaires, your insurance requirements and expectations, your insurance contract number or numbers of your other contracts, information regarding the course of your insurance and our mutual co-operation, our previous simulations and offers, relationship to the policyholder, the insured or claimant, location and specification of the insured property (such as the address of the property, licence plate number or vehicle identification number), travel arrangements including the booking number, age categories of persons you wish to have insured, numbers of insured events, data regarding the insurance cover/risk, causes of insured events, history of previous loss or insured events, your position as a statutory body or member/shareholder or other ownership interests or management participation in an organisation and other insurance policies you use.
- Personal health information
Current or former state of health, physical and mental, information regarding injuries or disabilities, medical interventions, personal habits (e.g. smoking or drinking alcohol), information about prescribed medicines and anamnesis.
- Information regarding judgments issued in civil and criminal cases and regarding criminal offences
As a prevention or during the process of revealing and investigating frauds, we may obtain information regarding your criminal record or your history of civil judicial proceedings.
- Other sensitive information
In some cases we may obtain sensitive information regarding your trade union membership, your religious beliefs, your political views, your family anamnesis or your genetic data (e.g. if you apply for insurance through a marketing partner who acts as a third party in the capacity of a business, religious or political organisation). We may obtain sensitive information directly from you if you provide them voluntarily (e.g. if you express your preferences regarding treatment based on your religious beliefs).
- Records of your mutual communication
They are in particular records of your communication via any communication channel including records of your telephone calls with us, your calls with our agents and customer centres, email messages, written or other communication, data from using our applications, our website and other interactions between you and us.
- Invoicing and transaction data
They are information regarding the payments of the premium and other funds invested in insurance products, including payments made by us to you and information about other transactions.
- Profile data
This applies to the processing of data stated in our contract, including, but not limited to, your basic physical characteristics (age, sex), address, your risk level in view of the measures against the legalisation of the proceeds of crime and financing of terrorism, information about your trustworthiness towards financial services providers.
- Social media accounts and information from applications
If you use our applications or the content of our social media, we may obtain certain personal data including your social media account identification, your profile picture and other personal data you provide to us. If you choose to link your account on any social media operated by another social media provider to your account created for any of our electronic communication services, you will share with us your personal data disclosed on your social media account. Thus the personal data stated in your social media profile or your friends' profiles may be shared with us.
Where do we obtain personal data?
We usually obtain personal data directly from you when you provide us with your data voluntarily, whether in the form of a completed form, or a draft of an insurance contract or another type of contract or when you report an insured event. We may obtain personal data from publicly available sources, such as public registers and records, as well as from other entities, based on your consent (typically from medical services providers) or from third parties with which we co-operate and that are entitled to access and share your personal data, and also based on social media information you post yourself. We also obtain data from our own activities - such as using our internal databases or the results of profiling or other analyses.
When are you obliged to provide us with personal data?
Providing data based on your consent is voluntary and you can withdraw your consent at any time.
We request other data from you in order to perform a contract, comply with our statutory obligations or defend our legitimate interests. Should you refuse to provide your personal data, we may not be able to provide you with our services.
For what purposes do we process your personal data?
We use your personal data for purposes arising from our activities and for most types of processing we do not need your consent because we are entitled to process your data by operation of law. We are also entitled to process your personal data or a category thereof (where there is a possibility to do so) for different purposes.
For your convenience, we have divided the list of particular purposes into those where we do not need your consent and those for the processing of which we require your prior consent.
The main purposes of processing without the necessity of your consent, where the legal basis for the processing is (i) performance of a contract, (ii) protection of our legitimate interests, or (iii) compliance with our statutory obligations, are the following:
• identification of and ascertaining your identity - the legal basis for the processing is making and performance of a contract and compliance with our statutory obligations;
• negotiations regarding the making of an insurance contract or another type of contract, including establishing the needs and requirements of the client, underwriting and assessment of risk and determining the premium - the legal basis for such processing is the making and performance of a contract and compliance with our statutory obligations;
• administration of the insurance, meeting the obligations arising from an insurance contract or another type of contract, insured events inquiries, providing indemnity based on insurance or other contracts and providing assistance services - the legal basis for such processing is the making and performance of a contract and compliance with our statutory obligations;
• communication with you and other persons in the course of our business activities, client service, customer relationship management, service quality improvement, including sending important information regarding changes in our insurance contracts, other conditions and other information of administrative nature - the legal basis for such processing is making and performance of a contract and compliance with our statutory obligations and the protection of our legitimate interests;
• prevention against, detection and investigation of crime, such as fraud and money laundering, business risk monitoring and management - the legal basis for such processing is the protection of our legitimate interests and compliance with our statutory obligations;
• meeting the requirements of supervisory and other state authorities, providing mandatory co-operation, including the compliance with our statutory requirements arising from special laws and regulations (such as maintaining special records) - the legal basis for such processing is the compliance with our statutory obligations;
• direct marketing (i.e. sending commercial messages to existing clients and clients, with whom we terminated our business relationship 1 year ago or less) - the legal basis for such processing is the protection of our legitimate interests;
• risk assessment and management, profiling, scoring, creating analyses and statistics - the legal basis for such processing is the protection of our legitimate interests and the performance of a contract and compliance with our statutory obligations;
• performance of contracts regarding insurance mediation and other co-operation as part of the provision of our services - the legal basis for such processing is the making and performance of a contract and compliance with our statutory obligations;
• enabling participation in competitions, loyalty programmes and similar events and management of such events (some of the activities are governed by further conditions that may contain additional information in regard to how we use and disclose your personal data, therefore we recommend that you get acquainted with the conditions in detail) - the underlying legal basis for the processing is the making and performance of a contract, however in particular cases we may require your consent;
• facilitating the function of sharing information on social media - the legal basis for such processing is the protection of our legitimate interests;
• compliance with the archiving duties - the legal basis for such processing is the protection of our legitimate interests and compliance with our statutory obligations;
• process management, management of our infrastructure, business operations and compliance with internal principles and procedures, e.g. principles and procedures applicable to audit, reporting, finance and accounting, invoicing and collection of money, IT systems, data and web hosting, securing the operation and processing of records, documents and printing, passing information within the group for administrative purposes - the legal basis for such processing is the protection of our legitimate interests and compliance with our statutory obligations;
• creation and protection of statutory rights, protection of our operations or the operations of any company within the group or any of our business partners in the field of insurance, of our rights, our privacy, our security or our assess and/or rights, privacy, security or assets of companies within our group, of you or other individuals, and the endeavour to use available remedies or mitigating our damage, including the use of camera systems - the legal basis for such processing is the protection of our legitimate interests and compliance with our statutory obligations.
Processing based on your consent:
• processing for the purpose of other than direct marketing;
• exclusively automated personal data processing;
• recording phone calls and electronic communication for the purpose of the evaluation of the quality of services provided and subsequent improvement thereof.
For how long do we keep your personal data?
We take all precautions to ensure that the personal data we process are reliably adequate for the intended purpose and sufficiently precise and complete to meet the purposes described herein. Thus we keep your personal data for strictly necessary periods of time and observe the data minimization principle.
In general, we keep most of your data for 16 years after the termination of our contractual relationship, which is the period of time corresponding with the maximum statutory limitation period, in order to be able to fulfil our obligations to you and/or submit evidence in judicial proceedings and defend our interests.
Should we receive any personal data from you before an insurance contract is made and in the end the contract is not made, we will process the data for the maximum period of 1 year after they were received by us.
For the purpose of direct marketing, we will process your personal data during the term of our contractual relationship and one year after its termination.
If you give your consent to the processing and sharing of data for purposes other than direct marketing, we will process your personal data during the term of our contractual relationship and 5 years after its termination.
Any records of telephonic communication between us will be processed for the maximum periods corresponding with limitation periods and other statutory time limits.
With whom do we share personal data?
On principle, your personal data are processed within our group and primarily disclosed to our employees for the purpose of providing our services. However, if necessary for the achievement of any of the purposes of processing specified above, we are entitled to disclose your personal data to third parties that are in the position of processors as well as independent or joint controllers. In certain cases we are obliged to disclose your personal data to state and regulatory authorities, where prescribed by the laws and regulations. We may also disclose certain personal data based on your consent.
We are specifically entitled to disclose your personal data under certain conditions to the following entities:
- Companies within our group
For internal administrative purposes, for the purpose of effective communication, for the purpose of the protection of our rights and legitimate interests, to maintain the integrity and up-to-datedness of the data processed, for the purpose of safety and risk management. Thus we can better meet your requirements. If you give us your consent, we will transfer your data within our group also for the purpose of marketing, thanks to which you will gain access to a wider scope of services and products.
Specifically, these are our branch offices in Slovakia, Poland, Hungary, Bulgaria and Romania.
- Other insurance and distribution entities
In the course of marketing, insurance provision and claims adjustment, we may disclose your personal data to third parties, such as other insurance companies, reinsurance companies and reinsurance brokers and other intermediaries and agents, appointed representatives, distributors, partners in the field of affinity marketing and financial institutions, companies dealing in securities and other business partners.
- Our providers of services
We share personal data with those that we authorise to carry out certain external activities. Such external contractors are e.g. physicians, accountants, actuaries, auditors, experts, lawyers and other external expert consultants, providers of travel and medical assistance, customer centre service providers, IT systems, support and hosting service providers, providers of print, advertising and marketing services and providers of market surveys and analyses, banks and financial institutions that administer our accounts, managers of insured events acting as third parties, providers of document and record administration, investigators and claims adjusters, building consultants, technicians, inspectors, jury advisors, translators and similar contractors and external service providers acting as third parties that help us carry out our business activities.
- Public authorities and third parties that are parties to judicial proceedings
To comply with our other statutory obligations, we are obliged to disclose your personal data to the relevant public authorities or other public bodies (such as the Ministry of Finance as part of our collaboration in the field of taxes, tax offices, courts, bodies in charge of criminal proceedings etc.). In possible civil proceedings, your personal data will be disclosed to third parties that are parties to the proceedings.
- Other insurers, Czech Insurance Association and SUPIN s.r.o.
For the purpose of meeting our statutory obligations under the Act on Insurance Industry, in particular as part of the prevention against and detection of insurance fraud and other illegal acts, we share your personal data with other insurance companies, the Czech Insurance Association and its service company SUPIN s.r.o.
- Other third parties
We are also entitled to disclose your personal data to recipients of payments, service providers in case of emergencies (fire fighters, police, emergency medical services), retailers, networks, organisations and medical service providers, transport companies, registers of debtors, registers of loans and other entities related to the insured event, to current and potential buyers or other entities in any current or proposed reorganisation, merger, sale, joint venture, assignment, transfer or other transactions concerning our whole company, its assets or shares or any part thereof. You can also share your personal data on Internet forums, chat, websites with profiles, blogs, social media and as part of our electronic communication service, where you may publicly disclose information and documents (including our social media content without any restrictions). We point out that any information publicly disclosed or announced by you becomes public information and thus may be accessible to the visitors and users or our electronic communication services and to the general public. Therefore we ask you to exercise utmost caution when publicly disclosing your personal data or any other information through our electronic communication services.
Do we use automated individual decision-making?
In the course of the provision of our services, automated decision-making including profiling may occur from time to time. That means that the personal data are processed with the help of automatic information systems based on an algorithm or software code predefined by us.
As you can find in the section below, you are entitled to decide not to be subject to any decision having legal effects on you (such as a dismissal of an offer to make an insurance contract) that would be based solely on automated individual decision- making.
The purpose for using automated individual decision-making is mainly to improve and accelerate the provision of our services. An example of that is the possibility to take out insurance directly online through our website. However, we will be happy to deal with your request personally, if you prefer. We use automated processing for the purpose of marketing. In order to present you with offers that are as interesting and suitable for you as possible, we will process your data for the purpose of analysis and profiling, which process may be exclusively automated. The result of the process will be the evaluation of some of your personal aspects with the aim to adjust our offer to your needs and improve our provider services. However, such processing will be solely based on your consent.
Your rights in connection with personal data protection?
In connection with personal data processing, you have a number of rights you can exercise through our contact details specified above. We will deal with your request within one month (in justifiable cases within three months, we will inform you of the extension of the time limit as well as the reasons in time) and we will not demand any fees to be paid by you. However, should we receive an apparently unjustified or unreasonable request (e.g. a request that is identical with a request you have filed recently), we can demand a reasonable administrative fee to cover our costs in connection with you application.
- You have the right of access to your personal data - You can request a confirmation that we process your data and that we provide you with a copy of such data. The first copy of the data will be provided free of charge and for further copies we may charge an administrative fee to cover our costs.
- You have the right to have your data rectified or completed - You can ask us to rectify inaccurate data. At the same time you have the right to have your incomplete data completed.
- You have the right to have your data deleted - You can also ask us to delete your personal data without undue delay. However, we are obliged to comply with this request only if:
• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• you have withdrawn your consent, based on which we processed your personal data (and there are no other legal grounds for processing);
• you successfully raised objections against the processing and there are no overriding legitimate grounds for the processing;
• your personal data have been processed unlawfully;
• your personal data had to be erased for the purpose of compliance withour legal obligations.
We will not comply with your request to have your personal data deleted in particular if the processing thereof is necessary for the establishment, exercise or defence of our legal claims.
- You have the right to a restriction of processing - you can ask us to restrict the processing of your personal data (i.e. not to use them, however, without their complete liquidation), however only in the following cases:
• you have challenged the accuracy of your personal data (the processing will be restricted for the period of time necessary for ascertaining the data accuracy);
• the processing is illegal and you are not interested in the deletion;
• we no longer need your personal data for the purposes of processing but you request them for the establishment, exercise or defence of your legal claims;
• you have raised an objection against processing and it is being verified whether our legitimate grounds for processing override yours.
Even if the processing is restricted, we will be able to continue to process your data if:
• we have your consent;
• it is necessary for the establishment, exercise or defence of our legal claims;
• it is necessary for the protection of the rights of other individuals or legal entities.
- You have the right to your data portability - You have the right to receive the personal data concerning you in a structured, commonly used and machine- readable format and you have the right to transmit those data to another controller, however only if:
• the processing is based on your consent or a contract, and
• the processing is automated.
- You have the right to raise an objection - you are entitled to raise an objection against the processing of your personal data that are processed for the purpose of the protection of our legitimate interests. If we are unable to prove to you that we have serious grounds for such processing overriding your interests or rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims, the processing of your personal data will be terminated. You have the right to raise an objection against your personal data processing for the purpose of direct marketing, including profiling, at any time. If you raise such an objection, your personal data will no longer be processed for that purpose.
- You have the right not to be subject to automated individual decision-making - You have the right not to be subject to any decision based on automated individual processing, should such decision-making have any legal or other similar effects on you (such as a dismissal of an offer to make a contract).
In such cases we will grant your request to include a human factor in the decision-making process and enable you to express your opinion or challenge the automated decision-making.
That does not apply in cases where the automated decision is:
• necessary for making a contract;
• permitted under laws and regulations and it provides sufficient guarantee for the protection of your rights, liberties and legitimate interests
• based on your express consent.
- You have the right to withdraw your consent - if we process your data based on your consent, you are entitled to withdraw the consent at any time. The withdrawal of your consent becomes effective only in regard to the future, therefore the lawfulness of previous processing is not prejudiced. To withdraw your consent, you may use any of the contacts specified above. The withdrawal notice must include the following information:
• who withdraws the consent (therefore state your name, surname, home address, date of birth or other identification); and
• which particular consent you withdraw and to what extent.
- You have the right to file a complaint with the Office for Personal Data Protection - If for any reason whatsoever you believe that your personal data are not processed in a due manner, you can turn to the Office for Personal Data Protection with its headquarters at Pplk. Sochora 27, 170 00 Praha 7, e-mail: firstname.lastname@example.org, telephone: +420 234 665 111.
International tranfer of personal data
In view of the nature of our business, for reasons described above, your personal data may be transferred to entities in foreign countries (such as the United States of America and other countries with different data protection rules than those applicable in the country of your permanent residence). We can transfer your personal data for the purpose of processing of international insured events in the field of travel insurance or for the purpose of medical assistance services provision if you stay abroad. International transfers of personal data may be implemented in relation to the companies within our group, service providers, business partners and public authorities.
If it is necessary to share your personal data with countries outside the European Union or the European Economic Area, we guarantee that sufficient measures will be adopted to maintain the level of protection of your rights and interests. That means that we undertake to transfer your personal data only to such countries the laws of which provides a sufficient level of statutory protection of personal data in compliance with the regulations for the protection of personal data and we guarantee that the protection of your personal data will be guaranteed by contractual obligations, certification systems and other measures.
On your request, we will provide you with further information regarding the countries where your personal data may be transferred and in which way they will be protected.
As part of our efforts to protect your personal data we adopt adequate technical, physical, legal and organisational measures in compliance with the applicable laws governing the privacy and data security. Should you have a reason to believe that your communication with us is not secure (e.g. if you get the impression that your personal data security has been threatened), please inform us immediately using the contact information specified above.
If we share your personal data with any entity (see clause 7 hereof), the entity is always subject to careful selection and we pay attention that suitable measures are used to ensure personal data confidentiality and security.
Personal data of third parties
If you provide us with personal data of other individuals, you agree that you will: (i) inform those people about the content hereof, and (ii) obtain all consents required by the law to collect, use, publish and disclose (including any international transfer) such personal data of those individuals in accordance with this Privacy Notice.
Third party services
Please understand, that we are not liable for collecting, using and publishing the rules and procedures (including data security procedures) of other organisations, such as Facebook®, Twitter®, Apple®, Google®, Microsoft®, RIM/Blackberry® or any other developer of applications or provider of applications, social media platforms, operation systems, wireless connection or electronic device manufacturer, including any personal data that you disclose to other organisations through or in connection with Colonnade Electronic Communication Services
Use of our electronic communication services by minors
We inform you that our electronic communication services are not intended for individuals under eighteen (18) years of age, therefore we request that underage individuals do not provide us with their personal data through these electronic communication services.
Changes to the privacy notice
This Privacy Notice is subject to regular reviews and we reserve the right to amend it at any time with the aim of reflecting any changes in our business and legal requirements. Updated as well as historical versions will be available on our website.