Personal data processing at PZU Kindlustus (privacy policy)

You can find the latest version of the privacy policy here.

The Privacy Policy will give you important information on the personal data processing principles of PZU Kindlustus (hereinafter PZU). The Privacy Policy gives an overview of the following topics:

• 1. Definitions

  1.1 Data Subject/you means a natural person about whom PZU has information or information that makes it possible to identify a natural person.
  1.2 Data Protection Officer means the person who monitors and helps PZU implement the principles of personal data processing, and whom the Data Subject can contact in the case of possible questions/complaints.
  1.3 Client means any natural person or legal entity who uses, has used or has expressed their wish to use the Services of PZU.
  1.4 Visitor means a person who uses the Website.
  1.5 Cookies means data files sometimes saved on the Visitor’s device on the Website.
  1.6 Child means, in the context of personal data processing upon the provision of information society services in the Republic of Estonia, a person under 13 years of age who cannot give their consent to personal data processing themselves.
  1.7 Contract means the contract for provision of the Service (insurance contract) or another contract made between PZU and the Client, incl. standard terms and conditions and other applicable procedures and policies.
  1.8 Privacy Policy means this text, which stipulates the personal data processing principles of PZU.
  1.9 Services means the services and products of PZU.
  1.10 Website primarily means the PZU website www.pzu.ee, as well as social media pages, online store and self-service of PZU.

  Personal data terms are used in the Privacy Policy with the meaning given to them in the General Data Protection Regulation (2016/679).

• 2. General information and contact details

  2.1 About us. PZU is the trademark of AB Lietuvos draudimas Estonia branch in Estonia. AB Lietuvos draudimas is a Lithuanian insurance company that belongs to the international PZU Group. PZU is a legal entity, registry code 12831829, located at Pärnu mnt 141, 11314 Tallinn, Harju County, Estonia PZU processes your personal data as the controller.

  2.2 Contact. You can contact PZU with questions about personal data by sending an e-mail to isikuandmed@pzu.ee.
  2.3 PZU has appointed a Data Protection Officer, who can be contacted by sending an e-mail to isikuandmed@pzu.ee.

  2.4 About the Privacy Policy. The Privacy Policy is an inseparable part of the Contract entered into by PZU and the Client.
  2.5 The Privacy Policy applies to Data Subjects and all employees and cooperation partners of PZU, who come in contact with the personal data in the possession of PZU, proceed from the rights and obligations specified in the Privacy Policy.
  2.6 PZU has the right to amend this Privacy Policy unilaterally. We will inform the Data Subjects of amendments on the PZU Website or in another manner.

  Please note that the information behind the links on the PZU or in social media is regulated by the privacy policies of the respective service providers. Also, your personal data are processed in various social media channels according to the privacy policies of these platforms.

• 3. Principles

  3.1 The objective of PZU is responsible personal data processing, where PZU is prepared to demonstrate the compliance of personal data processing with established goals and the applicable regulation.
  3.2 All processes, guidelines, actions and activities of PZU that are related to personal data processing proceed from the following principles: lawfulness, fairness, transparency, purposefulness, minimisation, correctness, restricted retention, reliability, confidentiality, and integrated data protection by default.

• 4. General purposes, grounds and activities of processing

  4.1 The objective of PZU is to provide a quality insurance service and customer service that considers the needs of the Client.
  We use the following grounds as the grounds for personal data processing that arise from law:
  4.2 Consent. On the basis of consent, we process personal data within the limits, to the extent and for the purposes for which the Data Subject has granted their permission to PZU. The Data Subject gives their voluntary, specific, informed and unambiguous consent by, for example, ticking a box in the online store. Consent can also be expressed with clear action, e.g. the Data Subject can submit queries to chatbot Piri on the PZU Website.
  4.3 Entry into and performance of the Contract. We may process personal data for the following purposes upon the entry into and performance of the Contract:
  (1) taking measures before the entry into the Contract, which are necessary for entering into the Contract or requested by the Data Subject;
  (2) Identification of a client to the extent required by the due diligence obligation;
  (3) performance of the obligations to the Client in respect of the provision of its Services;
  (4) communication with the Client, incl. sending information and reminders about the performance of the Contract;
  (5) ensuring the performance of the Client’s payment obligation;
  (6) establishment, exercise and defence of claims.
  Please note that the purpose of data processing may be additionally stipulated in the specific Contract entered into with you and/or in the different service terms and conditions of PZU.
  4.4 Legal obligation. We process personal data for the performance of a legal obligation according to the provisions of and to the extent permitted by law.
  4.5 Legitimate interest. Legitimate interest means the interest of PZU to manage its company and to provide the best possible Services on the market. We have assessed your interests before we exercise our legitimate interest.You have the right to read the assessment(s) of legitimate interest prepared in relation to data processing based on legitimate interest concerning yourself. We may process your personal data on the basis of legitimate interest for the following purposes:
  (1) to ensure a relationship of trust, e.g. processing that is necessary for compliance with requirements for prevention of money laundering and terrorist financing or prevention of fraud;
  (2) client base management, analysis, profiling, pricing and marketing activities to improve the accessibility, selection and quality of the Services, and to make the best and more personal offers with the consent of the Client. Additionally, we may use legitimate interest upon preparing our price policy and pricing, e.g. by performing price elasticity tests (incl. automated prices, price impact analysis and segmentation). PZU does not process data on the basis of legitimate interest within the meaning of Article 22 of GDPR. If we process data on the basis of Article 22, we will provide you with the information thereon;
  (3) analysis of the identifiers and personal data collected upon the use of the Website, PZU’s social media pages, self service and other channels, and statistics of Visitors and Clients to ensure a better user experience, higher quality of service and the functioning of various channels;
  (4) for the organisation of campaigns, incl. organisation of personalised and targeted campaigns, there may be prize draws associated with campaigns. The terms and conditions of campaigns are separately stipulated;
  (5) for satisfaction polls, incl. customer satisfaction and measurement of the efficiency of marketing activities;
  (6) for making recordings, we may record messages and orders given on our premises as well as by means of communication (e-mail, telephone, etc.), also information and other operations we’ve performed, incl. the calls made to landline numbers will be recorded. Where necessary, we will use these recordings to prove orders or other operations;
  (7) for network, information and cyber security purposes, e.g. the measures taken to combat piracy and guarantee the security of the Website, make and save backup copies;
  (8) processing for organisational purposes, primarily for financial management and transmission of personal data within the group for internal administrative purposes (also audits and other possible supervision), including for processing the personal data of Clients or employees;
  (9) we may share personal data when we conclude business transactions or hold negotiations about a business transaction, which covers the entire business of PZU or the sale or transfer of property. These transactions may cover any merger, financing, acquisition or bankruptcy transaction or proceedings;
  (10) preparation, establishment or defence of legal claims, incl. the waiver of claims to, for example, debt collection service providers or receipt of information from assessors of creditworthiness;
  4.6 New purpose. If personal data are processed for a purpose that is new in comparison to the one for which the personal data was initially collected or nor based on the consent given by the Data Subject, we carefully assess the permissibility of such new processing. When ascertaining whether processing for the new purpose corresponds to the purpose for which the personal data were initially collected, we also take the following into account:
  (1) the connection between the purposes for which the personal data were collected and the purposes of the intended further processing;
  (2) the context of personal data connection, primarily between the Data Subject and PZU;
  (3) the type of personal data, especially whether special categories of personal data or personal data related to offences and convictions in offences are processed;
  (4) the possible consequences of the intended further processing for Data Subjects;
  (5) the existence of appropriate protective measures, which may be encryption, pseudonymisation and similar.
  4.7 Read more about the processing of the personal data of job applicants here: https://pzu.ee/pzu/liitu-meeskonnaga./

• 5. Overview of specific processing of insurance service/products

  5.1 PZU providers various insurance services, i.e. PZU Services. Here, you will find information about the personal data processing related to the insurance service/products – overview of related activities:
  (1) assessment of insurance risk and creditworthiness for entry into an insurance contract and collection of related data. Upon the assessment of insurance risk and creditworthiness, PZU has special legal rights and obligations, e.g. the ability to transmit (and receive) information about the submission of false data or intentionally triggered insured events upon the assessment of creditworthiness;
  (2) entry into insurance contract;
  (3) performance of the insurance contract, incl. automated personal data processing upon the assessment of insurance risk and calculation of insurance premiums, invoicing and transmission of the information needed by you, and making a new quote before and/or upon the expiry of the insurance contract;
  (4) investigation of insured events, collection of evidence, communication and other possible data exchange;
  (5) claims handling and related activities, incl. possible data exchange with the authorities;
  (6) exercise of the right of recourse;
  (7) submission of quotes for additional insurance services/products and information exchange, incl. transmission of information to motor insurance Clients about the options of ordering a green card;
  (8) personal data processing in relation to PZU risk events.
  5.2 In addition to the above, PZU has the obligation or right to transmit data in certain cases in relation to transmit data, e.g.:
  (1) transmission of data related to an insured event to a reinsurer;
  (2) data exchange/transmission upon the assessment of insurance risk and creditworthiness;
  (3) provision of information to supervisory authorities, auditors, bodies of investigation, the Prosecutor’s Office, the Financial Intelligence Unit, courts, trustees in bankruptcy, mortgagees and commercial pledge holders;
  (4) transmission/data exchange with the Motor Insurance Register (Relika).
  5.3 In order to enter into an insurance contract or file related claims, PZU may receive information from state and/or local government authorities and various registers (e.g. Relika), health service providers and other relevant third parties, incl. from other insurers.
  5.4 PZU has established a self-service environment for a smoother and better provision of the insurance service/products and client communication, where active insurance contracts etc. can be seen. Personal data are processed in the self-service environment pursuant to the Privacy Policy.
  Please note that the differences of personal data processing in relation to insurance services may be additionally stipulated in the specific Contract entered into with you and/or in the different service terms and conditions of PZU.

• 6. Composition of personal data, data subjects and collection

  6.1 We collect the following types of personal data:
  (1) the personal data disclosed by the Data Subject to PZU;
  (2) the personal data generated in the course of the ordinary communication between the Data Subject and PZU;
  (3) the personal data obviously disclosed by the Data Subject (e.g. in social media);
  (4) the personal data generated upon the use of services (e.g. use of the self-service environment of PZU);
  (5) the personal data generated as a result of visiting and using the website;
  (6) personal data received from third parties;
  (7) the personal data created and combined by PZU (e.g. e-correspondence during the client relationship or order history).
  6.2 In general, PZU processes the data of the following Data Subjects: PZU’s employees, (potential) client, person to be insured, beneficiary, victim (in an insured event), the person who caused the damage, the policyholder, the person related or equal to the policyholder, the injured parties, the legal representatives of a person, witnesses and other natural persons from whom we receive information/who we use for the provision of the Service and/or for filing claims.
  6.3 More specifically, we collect/may collect the following personal data, among others, in relation to the insurance service/product: name; ID code/registry code, date of birth, age, position, address/location, place of business, representative(s), contact persons, contact details, current account number; policy information, payment/invoice information, information on the use of PZU’s systems, data on the basis of the insurance interest, the risk to be insured, the property to be insured and insured events, data of the effectiveness and performance of the contract, data of the damage(s), incl. damage to health or other health data, incl. insurance and damage history, data of payment discipline and other data concerning the provision/use of the Service and the operations of PZU.
  Please note that the composition of the data collected may differ from the data listed here depending on the insurance service/product and/or the specific situation, e.g. the age, engine capacity, etc. may be taken into account when a vehicle is insured whilst fire resistance and other engineering data may be taken into account when a building is insured.
  Please note that PZU may taken the collected data into account upon the assessment of insurance risk, preparation of quotes and provision of the Service.
  6.4 PZU collects the data of Children upon the provision of the Service. The data of Children are generally processed with the consent of their parents or guardian and for a clearly specified purpose, e.g. appointment as the beneficiary or insured person.

• 7. Transmission and authorised processing of personal data

  7.1 We cooperate with persons to whom we may transmit data related to Data Subjects, incl. personal data, within the scope and for the purposes of cooperation. We transmit personal data to a third party if the obligation to transmit the data arises from law or if PZU has entered into a contract with a third party for controlling and/or processing personal data.
  7.2 Such third parties may be, among others, entities belonging to the same consolidation group as PZU, resellers of PZU’s insurance services/products – brokers and agents, claims handling partners (including repair companies, experts, authorised physicians), advertising and marketing partners, customer satisfaction polling companies, debt collection service providers, payment default registers, ICT partners, i.e. providers of various technical services, invoice transmission service providers, on the condition that:
  (1) the respective purpose and processing are lawful;
  (2) personal data are processed according to the guidelines of PZU and on the basis of an effective contract.
  7.3 In other cases, we will transmit your personal data to third parties if PZU has your consent to this or in exceptional cases where transmission is necessary for the protection of your vital interest.
  7.4 As a general rule, we don’t transmit personal data outside the European Economic Community. If we transmit personal data outside the European Union, we do it in compliance with he requirements of data protection legislation, e.g. if the European Commission has decided that adequate protection exists in the respective country, or we have taken adequate protection measures if such a decision does not exist (e.g. binding internal rules or standard data protection clauses).

• 8. Rights and exercise of the rights of data subjects

  8.1 Rights related to consent:
  (1) the Data Subject has the right to inform PZU at any time that they wish to withdraw their consent to personal data processing. The withdrawal of consent does not affect the lawfulness of previous processing.
  (2) You can exercise your rights related to consent by sending an e-mail to PZU at isikuandmed@pzu.ee.
  8.2 Upon personal data processing, the Data Subject has the following rights on the conditions set forth in the GDPR:
  (1) the right to receive information, i.e. the right of the Data Subject to receive information on the personal data collected about them;
  (2) the right to access data, which covers the right of the Data Subject to obtain a copy of the processed personal data. The Client can also access many of the collected personal data in the PZU self-service environment;
  (3) the right to correction of incorrect personal data. The Data Subject can correct incorrect data by contacting PZU using the contact details given above or by using the self-service environment to correct certain personal data;
  (4) the right to deletion of data, i.e. in certain cases, the Data Subject has the right to demand deletion of personal data, e.g. if processing is done only on the basis of consent;
  (5) the right to request restriction of personal data processing. This right arises, among others, if personal data processing is not permitted on the basis of law or temporarily if the Data Subject contests the correctness of the personal data;
  (6) the right to transfer data, i.e. in certain cases, the Data Subject has the right to obtain their personal data in machine-readable format, or demand their transmission in machine-readable format to another controller;
  (7) the rights related to automated processing and profiling, which means that the Data Subject has the right to object to the processing of personal data concerning them at any time depending on their specific situation if such processing is based on automated decisions/profiling, and demand intervention by a human being. The Data Subject may also demand an explanation of the logic of how automated decisions are made. Automated processing/profiling may partly be based on data collected from public sources. We will inform the Data Subject of automated processing/profiling if we use it;
  (8) the right to an opinion of a supervisory authority on whether the processing of the Data Subject’s personal data is lawful;
  (9) the right to compensation for damage if damage was caused to the Data Subject with personal data processing.
  8.3 Exercise of rights. The Data Subject has the right to contact PZU using the contact details given in point 2 if they have any questions, requests or complaints about personal data processing.
  8.4 Submission of complaints:
  (1) the Data Subject has the right to file a complaint with PZU, the Data Protection Inspectorate or a court;
  (2) the contact details of the Data Protection Inspectorate can be found on its website at https://www.aki.ee/et/inspektsioon-kontaktid/tootajate-kontaktid.

• 9. Retention of personal data and security of processing

  9.1 Retention. We retain personal data only for the period required for the purpose of processing. The personal data whose retention period has expired will be destroyed or anonymised. We retain personal data according to the purpose of processing, upon the submission of claims from the expiration dates of possible claims and the retention periods stipulated by law.

  9.2 Security measures. We have established guidelines and procedural rules on how to guarantee the security of personal data via the use of organisational and technical measures. Among others, we do the following to ensure security and confidentiality:
  (1) we allow our employees to access personal data only if this is necessary for the performance of their duties and the relevant permission has been applied for and the rights have been granted;
  (2) a processor may process the personal data given to them only for the purpose and to the extent required for the provision of the service set out in the contract;
  (3) pursuant to the Insurance Activities Act and the contracts that have been entered into, the employees of PZU and the personal data controllers of PZU are obliged to keep all personal data confidential for an unspecified term. Personal data processing for purposes not related to job duties or the provision of services is prohibited.
  9.3 If any incident occurs in relation to personal data, we will make every effort to alleviate the consequences and to manage the relevant risks in the future. Among others, we will register all incidents and, if required, inform the Data Protection Inspectorate and the Data Subject thereof directly (e.g. by e-mail) or publicly (i.e. via national media).

• 10. Cookies and other tracking technologies

  10.1 We may collect data about the Visitors and Clients of the Website and other information society services (e.g. self-service) through the use of Cookies (i.e. little pieces of information saved by the Visitor’s browser on the hard disk of the Visitor’s computer or another device), or other similar technologies, and process such data (e.g. the IP address, device information, location information).
  10.2 We use the collected data to be able to provide the Service according to the Visitor’s or Client’s habits, to ensure the best Service quality; to inform the Visitor and the Client of content and make recommendations; to direct advertisements better according to marketing goals; to make logging in easier and to protect data. The collected data are also used to count Visitors/Clients and record their usage habits.
  10.3 We use session, permanent and advertising cookies. A session cookie is automatically deleted after each visit; permanent cookies will not be deleted in the case of repeated visits to the Website and websites of PZU’s partners that use advertising and third party Cookies, and are connected to the PZU Website. PZU does not control the emergence of these Cookies, so you can get information about these Cookies from the third parties.
  10.4 Visitors agree to the use of Cookies on the Website or in the web browser. Cookies are enabled in most web browsers. All the functions of the Website may not be accessible to the Visitor if Cookies are disabled. Enabling or disabling Cookies and other similar technologies is controlled by the Visitor via their web browser settings.