This privacy policy is established to provide registered individuals, hereinafter referred to as “individuals,” with information on how Sjóvá processes personal data. It aims to ensure data reliability, processing quality, and the protection of individuals’ information, ensuring that personal data is processed in accordance with applicable data protection laws.
The primary purpose of processing personal data within the Sjóvá Group is to provide individuals with services related to contractual and mandatory insurance.
The responsible entity is Sjóvá-Almennar tryggingar hf., reg. no. 650909-1270, Kringlan 5, 103 Reykjavík. Sjóvá-Almennar líftryggingar hf., reg. no. 650568-2789, is a subsidiary of Sjóvá, with all its operations outsourced to the parent company. The companies act as joint controllers regarding the processing outsourced by the life insurance company to the parent company. These companies operate as insurance providers under the Companies Act No. 2/1995, the Insurance Activities Act No. 100/2016, and the Insurance Groups Act No. 60/2017. The Sjóvá Group, hereinafter referred to as “Sjóvá,” operates in the insurance market as a comprehensive insurance provider in Iceland, covering both non-life and life insurance.
This policy applies to Sjóvá’s customers, representatives of corporate customers, individuals who contact or visit Sjóvá’s offices, and job applicants. Processing agreements between Sjóvá and parties handling personal data on its behalf must align with this policy.
Personal data refers to information that can be directly or indirectly linked to a specific individual. This includes names, ID numbers, addresses, location data, email addresses, phone numbers, property registration numbers, vehicle registration numbers, credit card numbers, online identifiers such as IP addresses, bank account details, passport or other ID document numbers, photos, videos, and usernames.
Sensitive personal data includes, among other things, health information, political opinions, religious beliefs, and genetic or biometric data.
The processing of personal data refers to any action or series of actions performed on identifiable information, whether manually or electronically.
Sjóvá primarily processes personal data provided by individuals themselves, such as during the purchase of insurance or when reporting a claim. Customers typically provide basic personal details, such as name, ID number, address, phone number, and email. However, the company may also process other identifying information, such as financial and health-related data. Sjóvá may also receive information from other parties, such as lawyers, law enforcement agencies, healthcare institutions, other insurance companies, and the insurance industry’s claims database.
The processing of individuals’ personal data occurs during communication, insurance quoting, policy issuance, claims handling, processing of benefits under the Stofn loyalty program (which in some cases is managed by external parties, retailers, and service providers), the display of information on customers’ My Sjóvá portals, the use of the InSight remote viewing solution, customer interactions, marketing, service surveys, internal audits, reviews, risk management projects, and the processing of corporate customer representatives’ data.
Processing also occurs in relation to customer feedback, complaints, online chat inquiries, sponsorship requests, and job applications submitted to Sjóvá.
Additionally, the company may, in accordance with applicable risk assessments, collect information on individuals’ political affiliations in high-risk cases, as required by anti-money laundering and counter-terrorism financing laws.
Sjóvá also conducts electronic monitoring through recorded phone calls and security cameras at its offices. Calls to and from Sjóvá may be recorded to ensure data reliability and traceability, employee security, and proof of insurance-related transactions. Call recordings may also be used for staff training and service improvements.
A surveillance camera system is operated at Sjóvá’s offices to ensure the safety of employees, premises, and asset protection.
Sjóvá’s authority to process personal data is primarily based on the provisions of the Data Protection Act No. 90/2018, including individuals’ consent, the necessity of processing for contract performance, the company’s legitimate interests, and legal obligations.
When determining pricing for new and renewed insurance policies, Sjóvá uses automated customer classification within its systems. This classification is based on premium amounts, claim history, and transaction history to ensure fair premium distribution and risk diversification. The company has a legitimate interest in categorizing customers by risk, as this is a crucial factor in premium setting. Customer classification is also used for marketing and statistical purposes, with legitimate interests serving as the basis for processing.
Sjóvá uses automated decision-making in certain service processes. This means that IT systems process data automatically based on predefined criteria, with the results communicated to staff or directly to individuals. Automated decision-making is used in the following cases:
Individuals always have the right to request human intervention, express their views, receive explanations regarding decisions, and challenge them.
Sjóvá does not share personal data with third parties except when necessary to fulfill its obligations and agreements or for other legitimate purposes.
Sjóvá may share personal data with third parties such as service providers in reinsurance, IT, debt collection, and claims handling, including workshops and service providers involved in claim settlements. The legal basis for such processing is Sjóvá’s legitimate interests and contractual necessity.
Sjóvá may also engage external specialists in claims assessment, including crash and speed calculations, medical evaluations, reporting, and damage inspections. These activities are subject to data processing agreements between Sjóvá and the service providers. The legal basis for processing is Sjóvá’s legitimate interests.
Sjóvá shares claim-related information in the insurance industry’s claims database, maintained by Creditinfo. This database includes reported claims except for life and critical illness insurance claims and claims involving minors under the age of criminal liability. The purpose of the claims database is to prevent insurance fraud and unjustified compensation payments.
Personal data may also be shared with third parties if required by law, such as with authorities or courts.
Individuals have the right to request access to their personal data, subject to the limitations outlined in Data Protection Act No. 90/2018. They have the right to obtain a copy of their data by submitting a request form available on Sjóvá’s website. Sjóvá is obligated to provide the requested information within 30 days.
Sjóvá strives to maintain accurate and up-to-date personal data. Individuals may, under certain circumstances, request corrections, deletions, or restrictions on data processing.
Individuals have the right to object to processing, transfer their data, and withdraw consent. However, in the context of insurance contracts, withdrawing consent may result in contract termination or prevent claims processing. Individuals may file complaints about data processing with Sjóvá and/or the Icelandic Data Protection Authority.
Sjóvá prioritizes security in personal data processing. Access control policies have been implemented to ensure that only authorized personnel can access data. Sjóvá is ISO27001:2013 certified for information security.
Sjóvá outsources its IT operations and requires service providers to meet strict data protection and security standards.
A data retention policy governs how long records, including personal data, are stored. Retention periods depend on legal requirements, such as the statute of limitations (4–20 years), accounting laws (7 years), and electronic surveillance regulations (maximum of 30 days). Job applications are deleted after 6 months. When data is no longer needed, it is permanently deleted according to Sjóvá’s data destruction policies.
Individuals engaged in fraudulent activities, threats against employees, or significant debt defaults may be blacklisted and excluded from doing business with Sjóvá. Suspected fraud investigations may involve gathering data from sources other than the individual concerned.
Sjóvá has appointed a Data Protection Officer whom individuals can contact regarding personal data processing and their rights. Inquiries can be directed to personuvernd@sjova.is.
This policy is reviewed as needed, including when processing changes or legal updates occur.