RO
HUPersonal data processing policy
Personal data processing policy
POOL-UL DE ASIGURARE ÎMPOTRIRIVA DEZASTRELOR NATURALE S.A. registered at the Trade Register in Bucharest under no. J40/1 0819/2009, CUI 26191737, with registered office in Șos. Nicolae Titulescu nr. 4-8, America House, East Wing, 3rd floor, Bucharest, postal code 011141, Bucharest, Romania, hereby informs you about the manner and extent of personal data processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter GDPR).
PAID addresses your personal data protection issue with utmost seriousness during collecting, processing and using these in accordance with legal provisions and wishes to ensure you that your personal data is kept safe.
What is Personal Data?
In the sense of GDPR, this is any information relating to a natural person who can be identified, e.g. name, address, date of birth, or contact details. All these pieces of information are subject to specific safeguards under the GDPR, which we ensure through a series of appropriate technical and organisational measures.
A. Data Protection and Cybersecurity (website visit)
Thank you for visiting our website. We are committed to protecting and respecting your privacy.
1. Collection of Personal Data:
We do not require any data from you to visit a public page on our website. You can browse completely anonymously in the sense of GDPR. For example, you can browse and leave our website at any time. We only record the website from which you came to us and the web pages you visited. Data obtained in this way is analysed for statistical purposes only and cannot be directly attributed to you for the purpose of improving the online experience we offer you. However, if you wish to use certain services made available to you, you will leave the public area of the website and enter a protected one. The use of this protected area will require your confirmation of compliance with this policy. Your continued use of the service shall be deemed your voluntary consent to the collection, use and processing of your personal data to the extent necessary to carry out the requested service. The data entered here will be transmitted in encrypted form between your PC and our website through the use of technical standards (SSL/TLS) designed to protect from third-party misuse.
2. Processing of Personal Data:
Your personal data is stored on protected computers following specific measures. The access and further processing of data is subject to strict internal regulations and is only carried out for the purpose you have made your data available to us.
3. Security of Personal Data:
The personal data you provide to us as a participant of the protected area of our website is transmitted over the Internet to our computer systems via an encrypted data link, it is then stored and protected (with the exception of data transmitted via e-mail). The people employed to work on our website respect and comply with the principles of data protection in accordance with GDPR, and data is reached on a controlled access basis via a special authorisation procedure.
4. Cookies:
We use cookies on our website. These help to generate a more useful and friendly browsing experience and clear online services to visitors.
What is a „Cookie”?
“Cookies” are small text files which are placed on your computer, mobile device or other devices used to access the Internet, through a browser app. Cookies are not specific to a certain individual and do not contain any personal information, browsing information are stored through these, such as type of browser and the operating system, source page, name of the domain the user connected to a website from, with the purpose to meet its needs, and how the website is used for personalization and session management purposes. There will be no merging or combining of this data with other data obtained or retained elsewhere.
Most of the cookies we use are “session cookies”, that expire - are deleted - at the end of a browser session. Additionally, there are “persistent cookies” through which we recognize you as a user.
Some of the data collected during page visits on our website is used to carry out statistical evaluations by external service providers on our behalf.
The types of cookies we use are:
- A strictly necessary cookie - cookies that are used by the website to function properly, without which the website would not work.
- Preference cookies - enable a website to remember information that changes the way the website behaves or looks, like the preferred language or the region that the visitor is in.
- Cookies for website performance monitoring that allow for counting visits and traffic sources so we can measure and improve the performance of our website.
- Analytical cookies that collect information about the behaviour of website visitors, how they interact with the websites, through collecting and reporting data anonymously.
- Marketing cookies that can be set on our website by our advertising partners.
If you wish to identify each type of cookie stored by the PAID website and how long these are stored on your device, you can select the "Details" button in the Cookies Settings tab where each cookie category is listed. Through the Cookie Settings tab you can manage your cookie preferences, including granting or withdrawing consent. You can at any time withdraw your consent to our use of cookies, except for strictly necessary cookies, without which the website would not work. Without these cookies, we cannot provide some of the features on our website. In addition, you can decide for yourself whether or not to allow the use of cookies via the Settings of the browser application you are using, the specific features of the browser used and instructions for use can be found in the "Options", "Preferences" menu, in the manual or "Help" section of the browser.
Cookies cannot spread any virus and are not harmful to your computer. Cookies help us to adapt the content of the website according to visitors’ preferences, thus improving quality in services and developing new services.
To learn more about cookies, please visit www.allaboutcookies.org or www.youronlinechoices.eu, where you will find additional information on behavioural advertising and online privacy.
5. Registration
In addition to simply accessing our website, you can actively use our website to purchase our product, register a complaint or contact us, etc. In addition to the aforementioned processing of your personal data for informational purposes only, in this case we also process other personal data that we need to fulfill your order or to process and respond to your request.
In order to be able to process and respond to your requests (e.g. via the contact form of our website) we need to process personal data pertaining to you. Such personal data includes your name and e-mail address, where applicable your personal identification number and other information you submit to us. We process your personal data in order to respond appropriately to user requests.
6. On-line Portal
By using this portal you have access to information on the products offered/insured and the possibility to conclude mandatory home insurance (PAD) contracts electronically.
If you wish to conclude a mandatory home insurance (PAD) electronically, we need the information you provide in order to issue the quotation, conclude the insurance contract and assess risk assumptions. The Terms and Conditions of Using the portal are the rules for the electronic provision of insurance services by PAID and acceptance of these is a prerequisite for access.
7. PAD Check
Represents the service made available by PAID in order to be able to find out the number, series and expiry date of your policy, as well as the name of the insurance company that issued your policy, if for any reason you no longer have this information.
In order to be able to return this information, your identity must be validated. In this case PAID retains information such as your personal identification number, phone number, e-mail address and browsing information (IP, browser type). After the return of the response, this information will be stored for 6 months for anti-fraud purposes. In this respect, a series of reports will be extracted: multiple queries from the same IP, multiple queries for the same CNP/personal identification number, number of results sent to the same email address or phone number.
B. The processing of Personal Data
In the following, we will inform you about the collection of personal data by PAID and the rights you have in accordance with GDPR provisions.
1. Data Protection Officer:
You can contact our Data Protection Officer/DPO regarding the processing of your personal data via registered mail to our postal address, marked for the attention of DPO or by e-mail to: dpo@paidromania.ro.
2. The Legal Grounds and Basis to Process Personal Data:
We process your personal data in accordance with the EU General Data Protection Regulation (GDPR), Law 190/2018, Law 260/2008 and 191/2015, the provisions of Law 237/2015 - on the authorisation and supervision of the activity of insurance and reinsurance, which are relevant to data protection, and all other applicable laws.
If you apply for a mandatory home insurance (PAD), we need the information you provide in order to issue the offer, conclude the insurance contract and assess risk assumptions. We need information relating to damages, for example, to be able to check whether an insured event has occurred and what loss has been suffered.
The conclusion or execution of the insurance contract is not possible without the processing of your personal data.
Additionally, we need your personal data to compile insurance statistics, e.g. for compliance with insurance market regulatory requirements.
We use the data of all existing contracts in order to take into account the entire customer relationship, e.g. for issuing additional documents or providing relevant information.
3. The Legal Basis to Process Personal Data:
Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data in pre-contractual and contractual situations where “processing is necessary for the performance of a contract”.
We also process your data for the purposes of the legitimate interests pursued by us or by a third party. This may be necessary notably in order:
- to ensure IT security and IT operations
- promotion of own insurance products as well as market and opinion research,
- to preventing and crime investigation, in particular for the analysis of data indicating the existence of insurance fraud
Additionally, processing of your personal data is necessary for compliance with a legal obligation, such as regulatory requirements, or retention obligations, commercial and fiscal obligations.
The legal ground for processing in this case is Article 6(1)(c) of the GDPR.
If we intend to process your personal data for other purposes than communicated above, we will inform you in advance within the limits of the legal provisions.
4. Sources of Personal Data:
The company and others involved in the process of issuing PAD policies, claims and claims settlement collect your personal data directly or from a third party acting according to your instructions. For people receiving public social assistance your personal data shall be made available to us according to the laws of the administrative- territorial units and the County Agency for Payments and Social Inspection (AJPIS).
If you provide us with the personal data of another person as an insured individual or as a beneficiary of the insurance contract, you are responsible for informing those individuals in accordance with the EU General Data Protection Regulation (GDPR).
The data collected are in accordance with Law no. 260/2008 republished and the norms issued on its application. These include, but are not limited to: name and surname, personal identification number, other identification data, date of birth, home address,
mailing address, telephone number, e-mail address, address of the property to be insured, identification data of the insurance beneficiary.
5. The Categories of Recipients of Personal Data:
Insurance intermediaries:
To the extent that the policy has been issued through an insurance intermediary, including an insurance company authorised to issue PAD insurance policies, the intermediary will process the application, contract and claims information necessary for the conclusion and execution of the insurance contract, the intermediary being a processor of PAID, i.e. a data controller for its own processing purposes.
Service providers:
To fulfill our contractual and legal obligations we use service providers involved in the processing of personal data, e.g. IT service providers, document archiving companies, payment processing companies, consultants, experts.
Reinsurers:
We insure the risks assumed by PAID with special insurance companies (reinsurers).
To do this, we may need to pass contract data and, if necessary, claim data on to a reinsurer who can form their own assessment of the risk or insured event. In addition, there’s a possibility for the reinsurer to support our company thanks to its special expertise in risk or performance assessment and in evaluating procedures.
We only transmit your data to the reinsurer insofar as this is necessary for the execution of our insurance contract with you or for the purposes necessary to protect our legitimate interests.
Other recipients:
In addition, we may transfer your personal data to other recipients, such as at the request of authorities to meet legal notification requirements (e.g. tax authorities, courts, town halls)
6. Data Storage Limitation:
We will delete personal information as soon as its retention is no longer necessary to fulfill the above purposes. Personal data may be kept for the period during which damage claims or complaints against our company can be made (e.g. the limitation period is three years). In addition, we store your personal data to the extent that we are legally obliged to do so. The corresponding evidence retention and withholding rights appear, among others, in the Civil Code, the Fiscal Code and the Money Laundering Act.
Storage periods are up to ten years, such as:
a) the data processed for the purpose of the offer that hadn’t turned into an insurance contract is to be stored for a period of up to 60 days after the expiry of the offer;
b) for the period during which claims may be brought against the Company (insurance or general limitation period);
c) during the term of the insurance contract for personal data necessary for the performan ce of the contract, including personal data which the insurer, in the course of the legal relationship, may come into contact with;
d) for 10 years from the end of the financial year in which they were drawn up for the personal data required to prepare the compulsory accounting registers and supporting documents on which the entries in the financial accounts are based on, for fulfilling the obligations under the law in connection with the keeping of accounts under the National Archives Law No 16/1996 and Accounting Law No 82/1991;
e) for 10 years from the date of creation of the document for personal data contained in claim files, together with the related technical records and accounting records;
f) for 10 years from the date of the creation of the financial auditor's annual report, of any other report provided by insurance legislation, of documents of practical value on the basis of which copies, certificates and extracts relating to the individual rights of insured individuals are issued in accordance with Rule no. 33/2017 of the Financial Supervisory Authority;
g) until the expiry of the limitation period, in cases where the insurer would have a legitimate interest in keeping certain personal data in connection with a potential dispute that might arise between the parties;
h) for 30 days the recordings used in the monitoring process by means of video;
i) until consent is withdrawn for the situation where you have given your consent to the processing of data for various specific purposes (if applicable);
j) for 5 years for documents needed to identify business partners;
7. The Rights of Data Subjects/Individuals:
Right to access:
You shall have the right to access personal data held by us as a Data Controller.
This right allows you to access all personal information that PAID processes about you and to request information, such as: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored.
All such information in the form and content available at this time is provided by this policy.
In certain situations expressly provided by applicable law, we may charge for an access request.
We will try to respond promptly to any request for information and, in any case, within the time limits expressly stated in the applicable legal provisions (usually within 30 days from registration of the request).
Right to rectification of data:
You shall have the right to obtain from PAID the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Where possible or necessary and if we are informed that your data is no longer accurate, we will make corrections (where appropriate) on the basis of updated information and inform you about this.
Right to erasure of data:
You shall have the right to obtain from PAID the erasure of personal data concerning you where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing of personal data;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which PAID is subject;
- other situations provided by the Regulation insofar as applicable
The right to delete data shall be exercised within the limits and with the exceptions provided by the Regulation. Thus PAID shall not proceed the erasure of data to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation to which PAID is subject to; (c) for reasons of public interest in the area of public health; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or (e) for the establishment, exercise or defense of legal claims.
Right to restriction of processing:
Restriction of processing entails the marking of stored personal data in order to limit the further processing of these. Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.
You have the right to restrict processing where one of the following applies:
- The accuracy of the personal data is contested by you, for a period enabling PAID to verify the accuracy of the personal data;
- The processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
- PAID no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
- Pou have objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject
If restriction of processing has been obtained pursuant to any of the aforementioned situations, you shall be informed by PAID before the restriction of processing is lifted.
Right to data portability:
You shall have the right to receive the personal data concerning you, which you have provided to PAID, in a structured, commonly used and machine-readable format and have the right to transmit those data from PAID to another controller expressly suggested by you from the controller to which the personal data have been provided, where this is technically feasible.
Right to object:
Where PAID does not process your data for performance of a contract you are a party to or in order to take steps at your request prior to entering into a contract or where the processing is necessary for PAID to fulfill a legal obligation, we bring to your attention that you shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions, unless PAID demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Right to object to processing for direct marketing purposes: where personal data are processed by PAID for direct marketing purposes, you have the right to object to such processing, including profiling insofar as it relates to direct marketing.
Right to withdraw consent:
If the processing is based on your consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal. The withdrawal of consent is not applicable in cases where the data processing is not based on consent.
Right to lodge a complaint:
We hope that you will never have to do this, but if you wish to complain about issues concerning the use of your personal data, please send an email with details of your complaint to dpo@paidromania.ro, by accessing the online form directly from the contact section of the website or by writing to us.
We will investigate and respond to any complaints we receive. You also have the right to lodge a complaint with the National Supervisory Authority of Personal Data Processing ("ANSPDCP") by accessing www.dataprotection.ro.
8. Verified request on the exercise of the rights of the data subjects:
If we receive a request from you exercising any of your rights from the above, we may ask you for additional information to verify your identity before acting on your request. This preliminary step is to ensure that your data is protected and kept secure.
9. Transfer of personal data outside the European Union:
Our company can transfer data outside the European Union to reinsurers based outside the EU. Where necessary, the transfer of data is carried out by adopting the necessary technical and organisational measures in accordance with the GDPR requirements applicable at the time of the transfer.
PAID pays great attention to data protection. The Company has adopted technical and organizational measures to protect you and your information from unauthorized access, modification, disclosure or destruction.
Version history of the GDPR information document (only in RO):
Information on the processing of personal data version 1.
Information on the processing of personal data version 2.
