This personal data protection policy is adopted with the purpose of ensuring that personal data is processed in accordance with applicable laws on personal data protection. It is intended to ensure the integrity of data, the quality of processing and the protection of personal information. The main purpose of processing personal data within the Sjóvá Group is to provide tailored services in the field of contractual and mandatory insurance.
Scope and responsibilities
The responsible party is Sjóvá-Almennar tryggingar hf., ID No. 650909-1270, Kringlan 5, 103 Reykjavík. Sjóvá-Almennar líftryggingar hf., ID No. 650568-2789, is a subsidiary of Sjóvá, and its entire operation is outsourced to the parent company. The companies are insurance companies and operate in accordance with Act No. 2/1995 on Private Limited Companies, Act No. 100/2016 on Insurance Operations and Act No. 60/2017 on Insurance Groups. The Sjóvá Group (hereinafter referred to as Sjóvá) operates in the insurance market and is a comprehensive insurance company with operations in Iceland in the field of non-life and life insurance.
The policy covers all the employees of Sjóvá-Almennar tryggingar hf. and the Boards of Directors of the companies. In addition, it is the basis for the processing contracts into which Sjóvá enters with those who are responsible for processing data on behalf of Sjóvá.
What does personal information consist of?
Personal information consists of information that is information that can be traced directly or indirectly to a specific individual. This includes, e.g. names, ID Nos., addresses, location data, e-mails, telephone numbers, property ID Nos., vehicle registrations, credit card numbers, Internet identification (IP numbers), information on bank accounts, passports or other ID document identifiers, pictures, videos and user names.
Sensitive information includes health information, political views, religion, DNA and biometric information.
The processing of personal data is defined as any operation or set of operations that are performed upon personal data, whether the processing is manual or automatic.
Personal information that Sjóvá processes
For the most part, Sjóvá processes information that clients provide voluntarily, such as when purchasing insurance and notifying of loss or damage. In such cases, clients supply personal information such as their name, ID No. and address. The company may, however, process information that identify such persons, such as the financial and health circumstances of individuals. Sjóvá may also obtain information from other entities such as attorneys, the police, healthcare centres and from the loss and damages database of SFF (Icelandic Financial Services Association).
The authorisation to process the data is based, for the most part, on the provisions of Act No. 90/2018 on the Protection of Personal Privacy as regards the agreement of the registered person for processing, what is required to reach an agreement with the person registered and the legislative obligations placed on the company.
Rights of the data subject
Individuals are entitled to request access to their personal information with, however, the limitations that Act No. 90/2018 provides for. Sjóvá focuses on ensuring that personal information is reliable and accurate at any given time. Individuals are entitled, under certain circumstances, to have their information corrected, deleted or limit their processing.
Clients and those involved in loss and damage are entitled to contest the processing, transfer of own data and withdraw their approval for processing. Due to the nature of the operation of insurance companies, the contractual relationship is based on the provisions of correct information, and the withdrawal of approval can lead to the termination of the agreement or prevent the processing of loss or damage and determination of compensation. Clients and those involved in loss or damage are entitled to submit complaints regarding the processing of personal data to Sjóvá and monitoring bodies.
The preservation and security of the data
Sjóvá is guided by security as regards the treatment and processing of personal data. An access control policy has been established for such purpose and procedures established for employees’ access authorisations. Sjóvá endeavours thereby to ensure that only those who need to process such information will have access. Sjóvá, moreover, has adopted the ISO 27001:2013 Information Security standard and is certified accordingly.
Sjóvá outsources the company’s IT systems and requires, therefore, that hosting and service entities fulfil requirements regarding the protection of personal data and information security.
Sjóvá has established a file storage schedule that contains provisions on how long data is to be preserved, including personally identifiable data. The preservation period of the data is determined based on differing needs for preservation depending on the nature of the data. The preservation period of data is determined by statutes of limitations and accounting rules. Once the preservation of the data is no longer deemed necessary, such data is permanently deleted. Sjóvá has established rules on the deletion of data for this purpose.
Sjóvá does not share personal data for purposes other than necessary to enable the company to fulfil its duties and contracts or for other legitimate reasons.
On determining business terms when renewing and issuing insurance, the company bases its decisions on specific classification of clients that is automatically prepared by the company’s systems and is the basis for the agreement between the client and Sjóvá. Premiums, loss/damage history and business history forms the basis for such classification and is intended to promote the fair distribution of premiums and be a part of Sjóvá’s risk distribution. In addition, the company may use the classification for marketing and statistical purposes.
Sjóvá operates the customer premium service Stofn for clients that fulfil specific criteria. Members of Stofn enjoy certain perks that involve the processing of personal information. In some cases, such services are provided by external parties such as Vegaaðstoð (roadside services) or discount terms in stores and from service entities. If a client choses to take advantage of such benefits from a service provider, such entity may contact the company to verify that the customer in question is a member of Stofn. Further information about Stofn and Stofnendurgreiðslu (Stofn Refund) may be found on the website of the company, www.sjova.is.
Restricted registration and fraud
A client found to have acted fraudulently or threatened an employee of the company may be barred from business dealings with the company. The same applies to any who are significantly in arrears with their debts to the company. The company will use its customer database to identify those who are no longer accepted as clients of the company for these reasons.
In the event of any suspicion of fraudulent behaviour, one aspect of the investigation may involve the gathering of personal data from persons other than the registered individual. The processing is carried out for the purpose of preventing insurance fraud and ensuring that other clients do not pay (through their premiums) for undeserved benefits.
Data Protection Officer (DPO)
Sjóvá has appointed a Personal Data Protection Officer that private persons can contact to discuss any issues relating to the processing of their personal data and the manner in which they can exercise their rights. The Sjóvá DPO can be contacted by sending an e-mail to firstname.lastname@example.org.