- Sjóvá-Almennar tryggingar hf. Kt. 650909-1270
- Sjóvá-Almennar líftryggingar hf. Kt. 680568-2789
- Kringlan 5, 103 Reykjavik,
This Personal Data Protection policy is adopted with the purpose of providing registered individuals, hereinafter referred to as "individuals", information on how Sjóvá uses personal data. It is intended to ensure the integrity of data, the quality of processing and the protection of information on individuals, and that personal data is processed in accordance with current legislation on personal data protection.
The main purpose of processing personal data at the Sjóvá group is to provide personalised services in the field of optional and mandatory insurance.
The responsible party is Sjóvá-Almennar tryggingar hf., (Sjóvá) Reg. No. 650909-1270, Kringlan 5, 103 Reykjavík. Sjóvá-Almennar líftryggingar hf., Reg. No. 650568-2789 is a subsidiary of Sjóvá and all its activities are outsourced to the parent company. The companies act as jointly responsible parties regarding the processing that the life insurance company outsources to the parent company. The companies are insurance companies and operate under the Act on Limited-liability Companies, No. 2/1995; the Act on Insurance Activities, No. 100/2016; and Act on Insurance Groups, No. 60/2017. The Sjóvá Group operates in the insurance market and is a comprehensive insurance company with operations in Iceland in the field of non-life and life insurance.
The policy covers Sjóvá's customers, representatives of customers who are legal entities, individuals who contact Sjóvá or visit the company's establishments, as well as job applicants. Processing contracts, which Sjóvá concludes with parties who are responsible for processing data on behalf of Sjóvá, must comply with the policy.
Personal data consists of information that can be traced directly or indirectly to a specific individual. This includes, for instance, names, Id. Nos., addresses, location data, e-mail addresses, telephone numbers, cadastral numbers, car registration numbers, credit card numbers, Internet identifiers (such as IP numbers), information on bank accounts, identifiers, passports or other identity documents, photos, videos and usernames.
Sensitive personal information includes health information, political opinions, religion, genetic and biometric data.
The processing of personal data is defined as any operation or set of operations that are performed upon personal data, whether the processing is manual or electronic.
For the most part, Sjóvá processes information that registered individuals provide voluntarily, such as when purchasing insurance or submitting claims for loss or damage. In such cases, clients supply personal information such as their name, Id. No. and address. The company may, however, also process data that identify such persons, such as information on the financial and health circumstances of individuals. Sjóvá may also obtain information from other sources, such as lawyers, police, health institutions, other insurance companies and from the insurance companies' claims database.
The processing of individuals’ personal data is carried out to prepare offers for insurance coverage, when insurance is taken out, in claims services, for processing Stofn benefits in the customer premium service Stofn, which in some cases is done by external parties, retailers and service providers, in presenting information on customer pages on Mitt Sjóvá, for use in the Innsýn remote viewing solution, in communications and marketing, for internal control, audits and risk management, and in communication with and processing of representatives of clients who are legal entities.
Processing can also take place in connection with individuals' communications with Sjóvá regarding suggestions and compliments, complaints to Sjóvá, information and information gathering through an online chat, in connection with requests for grants from Sjóvá and when processing job applications.
The company may also, in connection with an appropriate risk assessment, obtain information on politically exposed persons (PEPs), as provided for in the Act on Actions to Combat Money Laundering and Terrorist Financing.
The processing of personal data also takes place in Sjóvá's electronic monitoring, in the form of call recording and camera surveillance at Sjóvá's establishments. Telephone calls to and from Sjóvá may be recorded. The purpose of audio recording is to ensure the integrity and traceability of information and orders for transactions, to ensure the safety of employees and to provide proof in connection with insurance transactions. Audio recording can also be part of employee training and used to improve service.
A surveillance camera system is in operation at Sjóvá's facilities in order to ensure the safety of employees and the security of premises and asset custody.
Sjóvá's authorisation to process the data is mainly based on the provisions of Act No. 90/2018, on Data Protection and the Processing of Personal Data, concerning the data subject's consent to processing, the need to enter into a contract with the data subject and to protect the legitimate interests and legal obligations of the company.
When determining the terms and conditions for insurances and their renewal, the company relies on a specific classification of customers that is processed automatically in the company's systems. Premiums, claims history and business history form the basis of that classification, which is intended to contribute to a fairer distribution of premiums and is part of Sjóvá’s risk diversification. The company has a legitimate interest in the classification of customers according to risk, and this is an important part of setting premiums. Customer classification is also used for marketing and statistical purposes, based on legitimate interests.
Under certain circumstances, Sjóvá uses automated decision-making in providing services. In automated decision-making, IT systems process data automatically according to predetermined parameters and the outcome is delivered to employees or directly to individuals. Sjóvá uses automated decision-making in the following processes, based on available information about individual persons and their transactions:
Individuals always have the right to deal with a person if they wish, to express their views, to receive an explanation for a decision and to object to it.
Sjóvá does not share personal information with third parties except where necessary for the company to fulfil its obligations and agreements or for other legitimate purposes.
Sjóvá may pass on your personal information to third parties, such as service providers who provide Sjóvá with IT services, collection services for debt collection or to other third parties, such as workshops and claims service providers, as well as other services related to the processing and the company’s operations. Processing authorisation is based on Sjóvá’s legitimate interests and contractual obligations.
In some cases, Sjóvá avails itself of expert assistance from external parties regarding claims, for example, with impact and speed calculations, evaluation of medical data, reporting and inspections in connection with claims; such processing is based on the processing agreements currently in effect between Sjóvá and the processor. Processing authorisation is based on the legitimate interests of Sjóvá.
Sjóvá shares information on claims with the insurance companies’ claims database stored at Creditinfo. This includes information on registered claims reported to the company, with the exception of claims covered by life and sickness insurance and claims concerning children under the age of criminal responsibility. The claims database is a joint registration and reference database of insurance companies. The purpose of the database is to prevent insurance fraud and overpayment of insurance compensation. Questions and answers about the claims database.
If required under current laws or regulations, personal data may be provided to third parties such as the authorities or courts.
Individuals are entitled to request access to their personal data, however, subject to the limitations that Act No. 90/2018 provides for. An individual has the right to a copy of this information and can request it by filling out a request form available on the company's website. Sjóvá must deliver the information within 30 days of receiving the request.
Sjóvá focuses on ensuring that personal data is reliable and accurate at any given time. Individuals are entitled, under certain circumstances, to have their data corrected, deleted or limit its processing.
Individuals are entitled to object to the processing, transfer their own data and withdraw their consent for processing. Due to the nature of insurance companies’ activities, the contractual relationship is based on the provision of correct information, and withdrawal of approval can lead to the termination of a contract or impede the processing of an application or claim and determination of compensation. Individuals are entitled to submit a complaint about the processing of personal data to Sjóvá and/or to the Data Protection Authority (Persónuvernd).
Security is the overriding principle in Sjóvá’s handling and processing of personal data. An access control policy has been established for this purpose and procedures adopted for access authorisations of employees and agents. Sjóvá endeavours thereby to ensure that only those who need to process such information will have access. Sjóvá, moreover, has adopted the ISO 27001:2013 Information Security standard and is certified accordingly.
As Sjóvá outsources operation of the company’s IT systems, it requires hosting and service entities to fulfil requirements regarding personal data protection and information security.
Sjóvá has established an archiving schedule with provisions on how long data is to be preserved, including personally identifiable data. The preservation period of the data is determined based on differing needs for preservation depending on the nature of the data. This period is determined in part by legislation and regulations, such as statutes of limitations which may prescribe periods between 4 and 20 years, accounting rules which require 7 years preservation, and rules on electronic supervision which provide for a maximum retention of 30 days. Job applications are deleted after 6 months. When it is no longer considered necessary to retain the data, it is irretrievably eradicated. To this end, Sjóvá has established rules on the deletion of data.
Individuals found to have acted fraudulently or threatened an employee of the company may be barred from further business dealings with the company. The same applies to those who are significantly in arrears with the company. The company will use its customer database to identify those who are excluded as clients for these reasons.
Should any suspicion of fraudulent behaviour arise, investigation may involve the gathering of personal data from persons other than the data subject. Such processing is carried out for the purpose of preventing insurance fraud and ensuring that other clients do not pay (through their premiums) for undeserved compensation.
Sjóvá has appointed a Personal Data Protection Officer that private persons can contact to discuss any issues relating to the processing of their personal data and how they can exercise their rights. To make suggestions and contact Sjóvá's DPO an email can be sent to personuvernd@sjova.is.
This policy is reviewed regularly and may be amended due to changes in the company’s processing of personal data or amendments to legislation or regulations on personal protection.
In effect from: 12/10/2023