Offices
Search
 
0700 166 88
Menu

Privacy Policy

PRIVACY POLICY OF JSIC OZK-INSURANCE AD FOR THE PROTECTION OF PERSONAL DATA OF NATURAL PERSONS

 

This Policy (the Policy) sets out the terms and conditions under which individuals whose personal data is processed by JSIC OZK-Insurance AD (OZK) may exercise their rights under the Personal Data Protection Regulations.

I. GENERAL PRINCIPLES

1. OZK processes and protects personal data collected in the course of its activities in a fair and lawful manner and in accordance with the purposes for which the data was collected.
 
2. Employees who process personal data for the purposes of distributing insurance products, concluding insurance contracts, performing obligations under insurance contracts, and settling claims under insurance contracts as part of their job duties shall comply with the following principles when processing personal data:
  1. Personal data shall be processed lawfully and in good faith.
  2. Personal data shall be collected for specific, clearly defined and lawful purposes and shall not be further processed in a manner incompatible with those purposes.
  3. Personal data collected and processed in the course of human resources management shall be relevant, related to and not excessive in relation to the purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall be erased or rectified when it is found to be inaccurate or disproportionate in relation to the purposes for which it is processed.
  6. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
3. Employees who process personal data undergo initial and periodic training on confidentiality and are familiar with the applicable legislation.
 
II. RIGHTS OF DATA SUBJECTS
 
Data subjects have the following rights regarding their personal data:
  1. Right of access;
  2. Right to rectification;
  3. Right to data portability;
  4. Right to erasure (right to be forgotten);
  5. Right to request restriction of processing;
  6. Right to object to the processing of personal data;
  7. Right of the data subject not to be subject to a decision based solely on automated processing, including profiling.
Right of access

4. Upon request, OZK shall provide the data subject with the following information:

  1. confirmation whether OZK processes the personal data of the person or not;
  2. a copy of the personal data of the person processed by OZK and an explanation regarding the processed data.
5. The explanation under Article 4(2) shall include the following information regarding the personal data processed by OZK:
  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, and information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject;
  9. where personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
6. The explanation regarding the processed data includes the information that OZK provides to data subjects through a privacy notice.
 
7. Upon request by the data subject, OZK may provide a copy of the personal data being processed.
 
8. When providing a copy of personal data, OZK may not disclose the following categories of data:
  1. personal data of third parties, unless they have given their express consent to this;
  2. data that constitutes a trade secret, intellectual property, or confidential information;
  3. other information that is protected under applicable law.
9. Providing access to data subjects shall not adversely affect the rights and freedoms of third parties or result in a breach of OZK's regulatory obligations.
 
10. Where requests for access are manifestly unfounded or excessive, in particular because of their repetitive character, OZK may charge a reasonable fee based on the administrative costs of providing the information or refuse to act on the request for access.
 
11. OZK shall assess on a case-by-case basis whether a request is manifestly unfounded or excessive.
 
12. In case of refusal to grant access to personal data, OZK shall justify its refusal and inform the data subject of his or her right to lodge a complaint with the Commission for Personal Data Protection.

Right to rectification

13. Data subjects may request that their personal data processed by OZK be corrected if it is inaccurate or incomplete.

14. Upon satisfaction of a request for correction of personal data, OZK shall notify other recipients to whom the data has been disclosed (e.g., government agencies, service providers) so that they can reflect the changes.

Right to erasure (right to be forgotten)

15. Upon request, OZK is obliged to delete personal data if any of the following grounds exist:

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws their consent on which the processing is based and there is no other legal ground for the processing;
  3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  4. the data subject objects to the processing of personal data for direct marketing purposes;
  5. the personal data has been unlawfully processed;
  6. the personal data must be erased in order to comply with a legal obligation of OZK;
  7. the personal data has been collected in relation to the offering of information society services to children within the meaning of Article 8(1) of Regulation (EU) 2016/679.
16. OZK is not obliged to erase personal data insofar as processing is necessary:
  1. for exercising the right to freedom of expression and the right to information;
  2. for complying with a legal obligation of OZK;
  3. for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of Regulation (EU) 2016/679;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of Regulation (EU) 2016/679 in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise, or defense of legal claims

Right to restriction of processing

17. The data subject shall have the right to obtain restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful, but the data subject does not want the personal data to be erased and requests instead that its use be restricted;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
  4. the data subject has objected to the processing on the basis of the legitimate interest of OZK and an assessment is ongoing as to whether the legitimate grounds of the controller override the interests of the data subject;
18. OZK may process personal data whose processing is restricted only for the following purposes:
  1. for data storage
  2. with the consent of the data subject;
  3. for the establishment, exercise, or defense of legal claims;
  4. to protect the rights of another natural person;
  5. or for important reasons of public interest.

19. When the data subject has requested restriction of processing and any of the grounds under Article 17 apply, OZK shall inform the data subject before lifting the restriction on processing.

Right to data portability

20. The data subject has the right to receive the personal data concerning him or her, which he or she has provided to OZK, in a structured, commonly used, and machine-readable format.

21. Upon request, this data may be transferred to another controller specified by the data subject, where technically feasible.
 
22. The data subject may exercise the right to portability in the following cases:
  1. the processing is based on the consent of the data subject;
  2. the processing is based on a contractual obligation;
  3. the processing is carried out by automated means.
23. The right to portability shall not adversely affect the rights and freedoms of others.

Right to object

24. The data subject has the right to object to the processing of his or her personal data by OZK if the data is processed on one of the following grounds:

  1. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  2. the processing is necessary for the purposes of the legitimate interests pursued by OZK or by a third party;
  3. the processing involves profiling.
25. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Right to object to personal data for direct marketing purposes
 
26. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data for such purposes, including profiling related to direct marketing.
 
27. Where the data subject objects to processing for direct marketing purposes, the processing of personal data for such purposes shall be discontinued.
 
Right to human intervention in automated decision-making
 
28. Where OZK takes automated individual decisions involving or excluding profiling that produce legal effects concerning natural persons or significantly affect them in a similar way, those persons may request a review of the decision with human intervention and express their point of view.
 
29. OZK shall provide natural persons subject to automated decision-making with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person.
 

III. PROCEDURE FOR EXERCISING THE RIGHTS OF DATA SUBJECTS

30. Data subjects may exercise their rights under these Rules by submitting a request to exercise the relevant right.

31. Requests to exercise the rights of data subjects may be submitted in the following ways:
  1. By email to the following email address: headoffice@ozk.bg
  2. In person at the OZK offices
  3. By post to the address of the OZK Central Administration: 7, Sveta Sofia Street, 1000 Sofia City

32. The request to exercise personal data rights should contain the following information:

  1. Identification of the person – name and personal identification number and, depending on the nature of the relationship, policy number/ client number/claim number.
  2. Contact details for feedback – address, telephone number, email address
  3. Request – description of the request

33. OZK shall provide information on the actions taken in connection with a request to exercise the rights of data subjects within one month of receiving the request.

34. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests from a particular person. OZK shall inform the person of any such extension within one month of receiving the request, stating the reasons for the delay.
 
35. OZK shall not be obliged to respond to a request if it is unable to identify the data subject.
 
36. OZK may request additional information necessary to confirm the identity of the data subject where there are reasonable doubts about the identity of the natural person making the request.
 
37. Where the request is submitted by electronic means, the information shall be provided by electronic means, unless the data subject has requested otherwise.
 

IV. DEFINITIONS

"Personal data" means any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
 
"Applicable law" means the law of the European Union and the Republic of Bulgaria that is relevant to the protection of personal data;
 
"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, and in particular for analyzing or predicting aspects relating to the performance of that natural person's professional duties, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
 
"Data subject" means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
 
"Regulation (EU) 2016/679" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Journal of the European Union on May 4, 2016.