1. GENERAL INFORMATION

As part of its social responsibility, the company is committed to complying with personal data protection law. The company’s privacy policy is based on the basic principles that are globally accepted in the field of personal data protection and is based on applicable European and national legislation in this field.

The company collects, stores and uses personal data as part of its daily activity. Personal data is processed for legitimate purposes, such as, but not limited to, the execution of insurance brokerage mandates or commercial contracts where the company is a contracting party, as well as for other purposes stipulated or permitted by law.

In order to inform you about the data protection policy implemented by our company, we are providing you with this section dedicated to data protection, with the purpose of explaining in a simple and transparent way what type of personal data we are collecting from you and how we are processing it.

In terms of personal data protection, our broker, applies the provisions of the European and national legislation, assuring the application of the highest ethical standards in the activity carried out.

We are happy about your interest in our company, our products and services. Data protection is highly important for us. Therefore, the navigation on the company websites is possible without providing any personal data, with the exception of cookies, if they were set during a previous browsing session and they have not already expired. Nevertheless, if a person wishes to use the special services of our company via its websites, personal data processing may be necessary. When personal data processing is needed and there is no legal basis for this action, we always request the agreement of the concerned person.

Personal data processing such as the name, address, email address or the phone number of the concerned person is always carried out in conformity with the General Data Protection Regulation (GDPR – 679/2016 CE) and in conformity with the specific provisions of the national legislation regarding data protection.

  1. OBJECTIVES

The main objectives of the company regarding data protection are as follows:

  • Ensure that the processing of personal data is carried out in accordance with the legitimate purposes for which it was collected;
  • Ensure that all personal data under company’s custody are adequately protected against any threats or attacks;
  • Maintain a high degree of awareness on personal data protection requirements so that they are integrated into the day-to-day operations, ensuring that all employees are informed of the procedures they are required to follow for legitimate collection, processing, disclosure, transfer, retention, archiving and destruction of personal data;
  • Ensure that all company’s employees understand the importance of personal data protection practices and their responsibilities for maintaining personal data security;
  • Ensure that all business partners who collect, store and process personal data on behalf of the company fulfil and apply appropriate protection and security measures on personal data.
  1. DEFINITIONS

Our privacy policy is based on the terminology used by the European directive and the national regulatory framework adopted for the application of the General Data Protection Regulation (GDPR).

  • a) personal data
    Personal data represents any information regarding an identified or identifiable individual person (named a “concerned person”). An individual is considered to be identifiable when it can be identified, directly or indirectly, especially by associating it with an online identifier or one or more special characteristics, which provide the physical and physiologic characteristics, the genetic, mental, economic, cultural or social identification of this individual.
  • b) concerned person
    The concerned person is any identified or identifiable individual whose personal data is processed by the operator.
  • c) processing
    Data processing means any process or series of operations carried out with or without automatized procedures related to personal data, such as the collection, registration, organization, ordination, storage, adapting, modifying, reading, interrogating, using, divulging through transmission, distributing and other forms of providing, the reconciliation and association, the restriction, the erasing or destruction.
  • d) restricting processing
    The restriction of data processing represents the marking of personal data in storage, with the purpose of limiting the ulterior processing.
  • e) consent
    The consent represents the unambiguous expression of the will of the concerned person, voluntarily, in the form of a declaration or other confirmatory act unequivocally regarding a particular case from the concerned person, by which it indicates that he agrees with the processing of his own personal data.
  • g) operator or operator responsible with data processing
    The operator or operator responsible with data processing is an individual or a legal person, public authority, which makes decision in regards to the purpose and means of processing personal data, on its own or in conjunction with others.
  • g) person authorized by the operator
    The person authorized by the operator is an individual or a legal person, a public authority or another organ which processes the personal data on behalf of the operator.
  • h) beneficiary
    The beneficiary is an individual or legal person, a public authority, an institution or another entity, to which personal data is revealed, nevertheless it is or isn’t a third party. The public authorities which can gain possession of the personal data in conformity with the EU legislation or with that of the member states in relation to a certain investigation mission, are not considered beneficiaries.
  1. THE NAME AND ADDRESS OF THE OPERATOR RESPONSIBLE WITH THE PROCESSING

The operator, within the meaning of the General Regulation on data protection and other applicable data protection laws in the Member States of the European Union, as well as other data protection provisions, is:

HOLFIN INSURANCE REINSURANCE BROKER S.A.

Address: Bucharest, District 2, 020335, 9-9A Dimitrie Pompeiu, Iride Business Park, Building 24, 2nd floor

TEL: +40 314 056 564

E-mail: [email protected]

Social Capital: 150.000 Lei

Registry of Commerce no: J40/14097/04.09.2006

Fiscal code: 18988490

Authorized by the Insurance Supervision Commission, on the basis of the decision no. 114401/10.10.2006

Registered in the Insurance Brokers Registry under no. RBK-368/11.10.2006 according to the applicable legislation.

Any concerned person can address questions, requests or suggestions regarding data protection at any time, directly to our Data Protection Officer.

E-mail: [email protected]

  1. THE RIGHTS OF CONCERNED PERSONS
  • a) The right to information
    Any person concerned by personal data processing has the right to obtain information regarding personal data related to his own person and a copy of this data, at any time and free of charge. Additionally, the European legislative and regulation authority has admitted to provide the concerned person the following information:

    • the purpose of data processing
    • categories of processed personal data
    • recipients or categories of recipients to whom the personal data has been divulged or to whom it will be divulged, especially recipients from third party countries or international organizations
    • if it is possible, the planned storage duration of personal data, or if it is not possible, the criteria for establishing this period
    • the existence of a right of correction or deletion of personal data which concern him/her or of a limitation of data processing by the operator or of a right of opposition for such a processing operation
    • the existence of a right to register a complaint with a supervising authority
    • when the personal data is not collected from the concerned person, all available information about the origin of the data
    • the existence of an automated decision making process, including the establishment of profiles on the basis of article 22 paragraphs (1) and (4) of GDPR and – at least in this cases – relevant information regarding the logic involved and the field of application, as well as the projected impact of such data processing operation over the concerned person

    Furthermore, the concerned person has the right to be informed that the personal data have been transmitted to a third party country or to an international organization. In such a case, the concerned person has the right to obtain information regarding the appropriate guarantees relating the transfer.

    In case the concerned person wishes to exercise their right of information, he/she can contact us at any time, using the email address: [email protected]

  • b) The right of correction
    Any person concerned by personal data processing has the right to request the immediate correction of inexact personal data. Furthermore, the concerned person has the right to request the completion of certain personal data which is incomplete, including through a supplementary declaration, taking into account the purpose of the processing.If the concerned person wishes to exercise their right of correction, he/she can contact the operator at any time, using the email address: [email protected]
  • c) The right of deletion (the right to be forgotten)
    Any person concerned by the processing of personal data has the right to request the operator to immediately remove any personal data regarding him/her, with the condition that the processing is not necessary and one of the reasons below exist:

    • personal data has been collected with another purpose or it has been processed in a different way, making it unnecessary.
    • the concerned person withdraws their consent on which the processing is based, in conformity with article 6 paragraph (1) letter (a) of GDPR or with article 9 paragraph (2) letter(a) of GDPR and there is no other legal basis for processing it.
    • the concerned person opposes the processing operation in conformity with article 21 paragraph (1) of GDPR and there are no reasons good enough to process the data, or the concerned person opposes the processing operation in conformity with article 21 paragraph(2) of GDPR.
    • the personal data has been processed illegally.
    • the deletion of personal data is necessary in order to accomplish a legal obligation on the basis of the EU legislation or the national legislation to which the operator adheres.
    • the personal data has been collected in relation to services offered by the informational company in conformity with article 8 (1) of GDPR.

    If one of the reasons above applies and a concerned person wishes to delete their own personal information stored by the operator, he/she can contact us at any time, using the email address: [email protected]

    Our company  as operator will take care the deletion request will be honoured as shortly as possible.

    When the personal data has been made public by our company and we are obliged based on article 17, paragraph 1 of GDPR to delete the personal data, we will take the appropriate measures, including ones of technical nature, taking into account the available technology and the implementation costs, in order to inform the other operators/authorised persons which process published personal data, that the concerned person has requested the deletion of all the existing links to this personal data, as well as of the copies, with the exception in the case when processing the data is necessary.

  • d) The right to restrict data processing
    Any person concerned by the processing of personal data has the right to request the data operator to restrict the processing in case one or more of the following reasons apply:

    • the concerned person contest the accuracy of their personal data for a period of time which allows the operator to verify its accuracy.
    • the processing is illegal, the concerned person refuses the deletion of the personal data and request as an alternative to restrict the usage of personal data.
    • the operator does not need the personal data with the purpose to process it, but the concerned person needs them to establish, exercise or to defend his legal rights.
    • the concerned person has formulated objections towards the processing in accord with article 21 paragraph(1) of GDPR and it is not yet established if the appropriate reasons prevail over the ones of the concerned person.

    If one or more of the conditions above exists and the concerned person does not wish to restrict their personal data stored by our company, he/she can contact us at any time, using the email address: [email protected].

  • f) The right of data portability
    Any person concerned by the processing of personal data has the to obtain their own personal data that has been provided to an operator by the concerned person, in a structured, common format which can be read robotically. He/she also has the right to transfer their data to another operator, without any restriction, through the operator to whom they have been provided, with the condition that the processing must be based on the consent granted on the basis of article 6 paragraph(1) letter(a) of GDPR or article 9 paragraph (1) letter(a) of GDPR or based on a contract on the basis of article 6 paragraph (1) letter (b) of GDPR and with the condition that the processing must be made with automatic processes, to the extent that the processing is not necessary for the fulfilment of a public interest task or for the exercising of a public authority, which has been attributed to the operator.Additionally, in order to exercise the right of data portability on the basis of article 20 paragraph (1) of GDPR, the concerned person has the right to obtain the facility that their personal data will be transmitted directly from an operator to another, if this action is feasible from a technical point of view and if this action does not affect the rights and liberties of other persons.In order to exercise the right of data portability, the concerned person can contact us at any time, using the email address: [email protected]
  • g) The right to object
    Any person concerned with personal data processing has the right, given by the European legislative and regulatory authority, that at any time, for reasons arising from their specific situation, to object to the processing of their personal data, pursuant to Article 6 (1) (e) or (f) of the GDPR. This also applies to profiling based on these provisions.Our company will not process personal data in the event of an appeal, unless it can demonstrate that there are compelling reasons for data processing, which go beyond the interests, rights and freedoms of the person concerned or if the data processing serves to establish, exercise or defend legal rights.If our company processes personal data for direct marketing, the person concerned has the right to oppose at any time during the processing of their personal data for the purpose of advertising. This also applies to profiling, insofar as it is associated with direct marketing. If the person concerned submits objections to processing for direct marketing purposes, our company will no longer process personal data for these purposes.In addition, the person concerned has the right, for reasons arising from their particular situation, to object against the processing of their personal data, processing which is done for scientific or historical research purposes, or for statistical purposes, in accordance with Article 89 (1) GDPR, unless such processing is necessary to fulfil a task of public interest.In order to exercise their right to object, the person concerned may contact us using the email address: [email protected]
  • h) Automatic decisions in individual cases, including profiling
    Any person concerned with the processing of their personal data has the right not to be the subject of a decision based exclusively on automatic processing – including profiling – which has legal effects or which, similarly, significantly affects it, to the extent that the decision (1) is not necessary for the conclusion or completion of a contract between the person concerned and the operator, or (2) it is allowed by the law of the European Union or of its member states to which the operator is subject, and this legislation provides for adequate measures to protect the rights and freedoms, as well as the legitimate interests of the person concerned, or (3) with the express consent of the person concerned.If the decision (1) is necessary for the conclusion or completion of a contract between the concerned person and the operator or (2) is made with the express consent of the person concerned, our company will take appropriate measures to protect the rights and freedoms, as well as the legitimate interests of the person concerned, which include at least the right to benefit from the intervention of a person named by the operator, to express its position and to challenge the decision.If the person concerned wishes to exercise their rights in relation to the decisions taken automatically, he/she can contact us at any time on the email address: [email protected]
  • i) The right to revoke the consent regarding data protection
    Any person concerned with the processing of their personal data has the right to revoke at any time the consent given for processing their personal data.If the person concerned wishes to exercise their right to withdraw their consent, he/she can contact us at any time on the email address: [email protected]
  1. COOKIES

The online pages of our company use cookies. Cookie are text files which are uploaded and stored on a computer system through an Internet browser.

Numerous web pages and servers use cookies. Many cookies contain a so called “cookie-ID”. A cookie-ID is a bi-unique identification code of the cookie. It is composed from a string of characters through which the web pages and servers can be attributed to a specific web browser in which the cookie has been saved. This allows websites and servers to distinguish the individual browser of the concerned person from other web browsers which contain other cookies. A certain web browser can be recognized an identified through the unique cookie-ID.

By using cookies, our company can offer to the users of this site multiple easy to use services, which would not be possible without placing cookies.

Through a cookie, the information and offers on our website can be optimized in the spirit of our users. Cookies allow us, as mentioned before, to recognize the users of our website. The purpose of this recognition is to facilitate the use of our website for the users. For example, the user of a site which uses cookies does not have to write his login details each time he visits that website, as this process is automatically done by the site with the aid of cookies stored in the user’s system. Another example is the online shopping basket cookie. The online shop retains the products a user has placed in his basket using a cookie module.

The concerned person can prevent the placing of cookies by our website at any time, trough a setting corresponding with the used browser, therefore permanently opposing to cookies being placed. Additionally, cookies that have already been placed can be deleted at any time trough a web browser or other software. This action is possible in all the usual web browsers. If the concerned person deactivates the placing of cookies in the used web browser, it is possible that some of its functions will not be completely usable.

  1. REGISTERING GENERAL DATA AND INFORMATION

Our website collects a series of general data and information when it is accessed by a concerned person or by an automated system. This general information and data is stored in the server’s log files. The following data can be registered: (1) the type and versions of the used web browser, (2) the operating system used by the accessing system, (3) the web page through which our site is accessed by an accessing system (the so called references), (4) the web sub-pages which are not accessed from our website by an accessing system, (5) the date and hour of the website access, (6) the internet protocol address (IP) and (7) other data and information used to prevent cyber attacks over our IT systems.

Our company does not build profiles based on this personal data and does not make decisions automatically based on such profiles. This information is necessary and it is processed only to: (1) correctly offer the content of our system, (2) to optimize the content of out system and to advertise it, (3) to insure the continuous functioning of our systems and the website technology, as well as (4) to provide the penal investigation authorities the necessary information to apply the law in case of cybernetic attacks. Our company statistically evaluates the data and information collected anonymously and also with the purpose to increase the protection and security of the data within our company, to insure, the best level of data protection for the processed information. The anonymous log file data on the server are stored separately from all the other personal data provided by the concerned persons.

  1. THE POSSIBILITY TO CONTACT US THROUGH THE WEBSITE

Because of legal regulation, our website contain information which allows the fast electronic contact with our company, as well as direct communication with us, including a general email address (office.holfinasig.ro). If a concerned person contacts the data operator via email or trough a contact form, the personal data provided by him will be automatically saved. This type of personal data, voluntarily transmitted by a concerned person to the operator are stored with the purpose of processing or to contact him. This data can be processed at a later instance by the company in order to offer goods and services (if the concerned person has willingly expressed his interest for such activities), for marketing purposes (if the concerned person has consented to his data being processed for marketing purposes). The access to personal data is explicitly limited by our company to a closed set of partners, which also include the companies offering us we development/maintenance services (personal data protection is assured trough contract provision standard to GDPR and trough the adequate technical and organizational measures.

  1. THE ROUTINE DELETION AND BLOCKING OF PERSONAL DATA

The operator processes and stores personal data of the concerned persons only during the time period necessary to achieving the aim of storing or, by case, as long as it is imposed by the European directives or regulation, or those emitted by any other law maker through the laws or regulations applying to the operator.

When the purpose of storing the information disappears, or when the storage period stipulated by the directives and regulations of the EU or any other relevant law maker expire, personal data will be routinely blocked or destroyed, in conformity with the legal provisions.

  1. DATA PROTECTION RULES FOR USING GOOGLE ANALYTICS (WITH ANONYMIZATION FUNCTION)

The operator has integrated the Google Analytics component (with anonymization function) on this site. Google Analytics is a web analytics service. Web analysis means recording, collecting and analysing data about visitor behaviour on websites. Moreover, Google Analytics can collect data on age, business preferences, etc., data obtained from user behaviour on other websites. Among other things, a web analytics service records data about the previous website from which the person concerned came onto the current one (the so-called references), which subpages the website accessed had or how often and for how long a subpage was viewed. A web analysis is mainly used to optimize a website and to perform the cost-benefit analysis of advertising.

The Google Analytics component operating company is Google Inc., 1600 Pkwy Amphitheatre, Mountain View, CA 94043-1351, USA.

The operator uses the extension “_gat._anonymizeIp” for web analysis through Google Analytics. Through this extension, the IP address of the person concerned will be reduced and anonymised by Google, if the access to our site is done from a Member State of the European Union or from another State party under the Space Agreement European Economic.

The purpose of the Google Analytics component is to analyse the visitor flow on our website. Among other things, Google uses the data and information obtained to evaluate the degree of use of our website, to present us with online reports showing the activities on our websites and to provide other services related to the use of our website.

Google Analytics places a cookie module in the concerned person’s computer system. By placing this cookie module, Google is allowed to analyse the use of our website. Each time a page of this website is accessed, if a Google Analytics component is integrated, the Internet browser of the concerned person’s computer system is automatically initiated by the respective Google Analytics component, to send data to Google for online analysis purposes. As part of this technical process, Google will be in possession of personal data, such as the IP address of the person concerned, which will allow Google, among others, to track the origin of visitors and clicks.

The cookie stores personal information, such as access time, the location from which it was accessed and the frequency of visits made by the person concerned. Each time one accesses our website, their personal data, including the IP address of the Internet connection used by the person concerned, is transmitted to Google in the United States. This personal data is stored by Google in the United States. Google may transfer personal data collected through the technical process to third parties.

The concerned person may at any time prevent the placing of cookies by our website, as we have shown above, through an appropriate setting of the Internet browser used, thus permanently opposing the placement of cookies. Such a configuration of the Internet browser would also prevent Google from placing a cookie module in the concerned person’s computer system. In addition, a cookie already placed by Google Analytics can be deleted at any time through the Internet browser or other software.

At the same time, the person concerned has the option to challenge and prevent the collection of data generated by Google Analytics regarding the use of this website and the processing of their data by Google. To do this, the person concerned must download and install a browser add-on from the following link: https://tools.google.com/dlpage/gaoptout. This browser / add-on communicates to Google Analytics through JavaScript that data and information about visits to Google Analytics cannot be transmitted. The installation of the browser add-on program is considered by Google as a contradiction. If the concerned person’s computer system is subsequently deleted, formatted or reinstalled, the person concerned must reinstall the browser add-on program to disable Google Analytics. If the browser add-on program is uninstalled or deactivated by the person concerned or any other person within their control sphere, there is a possibility of reinstalling or reactivating the browser add-on.

Additional information and Google’s data protection rules can be found at: https://www.google.de/intl/ro/policies/privacy/ and https://www.google.com/analytics/terms/us.html. Google Analytics is explained in more detail in this link https://www.google.com/intl/ro/analytics/

  1. THE LEGAL BASIS OF PROCESSING

Art. 6 I lit. of GDPR represents our company’s legal basis for the processing operations for which we request the consent for a certain purpose of processing. If the processing of personal data is necessary for the fulfilment of a contract in which the party is the person concerned, as is the case, for example, in the processing processes necessary for the delivery of goods or for the provision of services or services in the counterparty , the processing is based on art. 6 I lit. b from GDPR.

The same is true for the processing operations that are necessary to perform the pre-contractual measures, for example in the event of queries regarding our products or services. When our company is subject to a legal obligation that requires the processing of personal data, such as, for example, the fulfilment of fiscal obligations, the processing is based on Article 6 I letter. c from GDPR.

In rare cases, processing of personal data may be necessary to protect the vital interests of the person concerned or of another individual. An example of this would be the case where a visitor of our company headquarters would suffer an accident / illness and the name, age, medical insurance data or other vital information have to be transmitted to a doctor, clinic or other third party. In this case, the processing is based on art. 6 I lit. d from GDPR. Lastly, the processing operations can be based on art. 6 I lit. f from GDPR.

This legal basis includes processing operations that do not fall under any of the above legal grounds, when processing is necessary to protect the legitimate interests of our company or of a third party, as long as the interests do not prevail the fundamental rights and the fundamental freedoms of the data subject.

Such processing operations are allowed since they were specifically mentioned by the European legislator. The European legislator considered that a legitimate interest could be assumed if the data subject is the client of the operator (recital 47 thesis 2 of the GDPR).

When the processing of personal data is based on Article 6 I letter f from GDPR, our legitimate interest lies in carrying out our activity for the benefit of all our employees and shareholders.

  1. LEGISLATIVE FRAMEWORK
  • European legislation: The EU regulation 2016/679 of the European Parliament and of the Council from the 27th of April 2016, regarding the protection of individuals in regards to personal data processing and regarding the free circulation of this data and the abrogation of Directive 95/46/CE (The General Data Protection Regulation);
    To visualize this, please access the following link:
    www.dataprotection.ro/servlet/ViewDocument?id=1262
  • The national legislation: Law no. 129 from 15.06.2018 to modify and complete the law no. 102/2005 regarding the establishment, organization and functioning of the National Authority for Supervising the Processing of Personal Data, as well as for the abrogation of Law no. 677/2001 for the protection of the individuals in regards to personal data processing and the free circulation of this data.
    To visualize this, please access the following link: http://www.dataprotection.ro/servlet/ViewDocument?id=1502 (available only in Romanian language)
  1. LEGAL OR CONTRACTUAL PROVISIONS REGARDING THE FURNISHING OF PERSONAL DATA; THE NEED OF CONTRACT CONCLUSION; THE OBLIGATION OF THE PERSON CONCERNED TO PROVIDE THEIR PERSONAL DATA; POSSIBLE CONSEQUENCES OF NON-PROVISION

We advise you that the provision of personal information is partly required by law or may result from contractual conditions.

When signing up for an insurance policy it is necessary for the person concerned to provide us with personal data and sometimes data about his health status, which must be processed later by us and by the insurers.

For example, the person concerned is obliged to provide us with personal information when he/she wants to conclude an insurance or receive insurance offers.

Failure to submit personal data would result in the impossibility of generating offers and issuing insurance policies for the person concerned.

  1. DURATION FOR WHICH PERSONAL DATA ARE STORED

The criteria for the duration of the storage of personal data is given by the legal period of storage / archiving and by the terms and conditions initially established regarding the processing carried out.

  1. FUTURE UPDATES

The content of these provisions may undergo changes, due to the evolution of the market, the update of the range of services we provide or legislative changes in the field of data protection. We will publish any new version of this information on our websites.

We kindly recommend you to check each and every time you visit a website belonging to our company the current provisions, in order to be always informed. By accessing our website or using our services through the website, after the modifications, the new provisions will be considered as accepted.

____________________________________

Data Protection Officer (PDO):

You can address any question, comment or any request regarding your data to our Data Protection Officer at the e-mail address: [email protected] or at company address: Bucharest, District 2, 020335, 9-9A Dimitrie Pompeiu, Iride Business Park, Building 24, 2nd floor.

__________________________________________

National Supervisory Authority for Personal Data Processing

http://www.dataprotection.ro

B-dul Gen. Gheorghe Magheru 28-30, sector 1, Bucuresti

Phone: +40.318.059.211

Fax : +40.318.059.602

E-mail : [email protected]

__________________________________________

European Data Protection Supervisor: https://edps.europa.eu/edps-homepage_en