Information about the processing of personal data in Gjensidige

We take your personal data seriously, and we want you to feel assured that we protect them expediently. Here, we explain how we collect and use data about you, describe your rights and how you can safeguard your data.

What is processing of personal data?
Processing of personal data means, for example, collection, registration, organisation, structuring, storage, adaptation or alteration, retrieval, use, transfer and erasure.

The processing of personal data must be based on legal grounds, known as the lawful basis for processing. Different lawful bases for processing are described in the Personal Data Act. Those most relevant to Gjensidige Forsikring are:

• that they are necessary to fulfil a contract with the person the personal data concern
• that the person the personal data concern has given their consent
• that they are necessary for complying with laws and regulations
• that we have a legitimate interest in the processing, which is necessary and where the interests of the person the data concern, does not demand protecting.

The data controller is the legal entity who decides the purpose of the processing of personal data and what tools are to be used. The data controller is responsible for ensuring that measures are implemented to meet data protection regulations, including requirements being drawn up for internal control and information security.

The legal entity responsible for processing your personal data is Gjensidige Forsikring ASA, Schweigaards gate 21, NO-0191 Oslo, organisation number 995 568 217.

Contact address: Gjensidige Forsikring ASA, P. O. Box 700 Sentrum, NO-0106 Oslo.

Gjensidige Forsikring Norway also does business under the brand Gouda. We also have an official presence in other online sites and applications, see overview of Gjensidige’s official online channels.

Gjensidige Forsikring has a data protection officer who is tasked with ensuring that the enterprise processes personal data in accordance with applicable laws and regulations.

The data protection officer is also a resource person for customers. If you have any questions about how we use your personal data, or you have any suggestions for us, you can contact the data protection officer at personvernombudet@gjensidige.no, or send a letter to: Gjensidige Forsikring ASA, att./Personvernombudet, P. O. Box 700 Sentrum, NO-0106 Oslo.

Gjensidige processes some special categories of personal data. The most common categories are health information and information about trade union membership.

Health information
Gjensidige Forsikring processes health information when necessary, for example, when issuing health and life insurance policies, and in connection with claims and settlement. Health information is considered to be a special category of (sensitive) personal data in the Personal Data Act, and special rules apply to the processing of such data. If health information is required to conclude a contract, we will obtain your consent on conclusion of the contract. If you do not give your consent, the insurance contract cannot be entered.

Health information can also be processed where necessary related to the development of tariffs, in analyses linked to solvency and capital adequacy requirements etc. The processing is necessary in order to fulfil Gjensidige’s legal obligations, stipulated to safeguard important public interests.

Lawful basis for processing
If special categories of (sensitive) personal data is processed to enter into a contract, we will ask for your consent to this.

As a financial undertaking, Gjensidige Forsikring is obliged, among other things, to monitor the value of assets, provisions and risk, and to calculate capital requirements. This processing is necessary in order to fulfil legal obligations required of the undertaking, stipulated to safeguard important public interests.

We also process special categories of (sensitive) personal data when necessary to process and settle a claim. The legal basis for such processing is that it is necessary in order to establish a legal claim.

Information about trade union membership
Gjensidige has cooperation agreements with different clubs, associations and organisations, and these agreements entitle the members to benefits and adapted products. Trade union membership is considered a special category of (sensitive) personal data in the Personal Data Act, and specific rules apply to the processing of such data. If relevant, we will obtain your consent to process data about trade union membership. The consent is obtained when entering the contract and/or when the insurance contract is renewed. This data must be processed for you to be entitled to membership benefits and to receive adapted products. If you do not wish us to process data about your trade union membership, you can apply for insurance on ordinary terms.

If you consent to us processing data about your trade union membership, the data can be used internally in our customer follow-up, for example in analyses and when we customise offers. We never share data about your trade union membership with third parties without your consent.

Lawful basis for processing
The processing of data about trade union membership is based on the consent of the person concerned.

What personal data do we collect?
The personal data we collect depends on your relationship with us. You may be a policyholder, a beneficiary who is not a policyholder, a claimant, witness, agent, health professional or other service provider, appointed representative or another person linked to Gjensidige. What personal data we collect also depends on what insurance policies you have with us. The personal data we collect can include;

General identification and contact information such as: Name, address, telephone number, email address, gender, family status, date of birth, children, educational background, and relationship with the policyholder, the insured party or the claimant.

Other identification numbers issued by public authorities such as: Date of birth, vehicle registration number, driving licence number and passport number.
Financial information: Income information, payment card number, account number and account information, credit history, creditworthiness, assets, property and other financial information.

Health information: For some of our services, we need to collect and process special categories of personal data, for example health information. This could be information that could typically be found in a doctor's patient records, i.e. information about current or previous physical or mental health conditions, health status, information about injuries, functional impairments, operations, personal habits (smoking, alcohol consumption), prescription information, case history, ability to work, sickness absences and family case history.

Other special categories of personal data: Information about trade union membership.

Information that is required in order to deliver products and services, such as: Addresses and ID information for insured assets (a property’s address or a vehicle’s registration number), information about previous accidents or claims, cause of damage, position as board member or partner, or other ownership or management interests in an undertaking and information about other policies you hold.

We refer to our page regarding security on our website where you can read about, among other things, the electronic traces we log.

We also use cookies on our website. Read more about what cookies are and how we use them.

The sources we obtain personal data from
The source your data comes from depends on your relationship with us. If you are a customer, agent, health professional or another of our service providers, we generally obtain data directly from you. Sometimes we obtain information from other parties, for example public or private institutions.

For example, if you are a claimant, beneficiary who is not a policyholder or witness, we may have received or obtained information from public or private institutions or others in connection with the purchase of insurance or settling a claim.

Relating to the purchase of insurance, or changing or renewing insurance, we can obtain information from among others:

Public institutions and registers, such as: The Population Register, the Tax Register, the Brønnøysund Register Centre, the Property Register and the Central Register of Motor Vehicles. 
Other private institutions: banks and credit companies, other insurance companies, the register of insurance applicants and insured parties (ROFF), the joint register of motor insurance associations (TFF Auto) and other partners that sell insurance products directly to customers.
Other relevant sources can be employers (for those with group insurance policies) or guardians.
Regarding claims settlements, it may also be relevant to obtain information from: 

Public institutions including the police, the Norwegian Labour and Welfare Administration (NAV), the tax authorities, the courts and the Brønnøysund Register Centre.
Other private institutions such as other insurance companies, banks and credit companies, the register of insurance applicants and insured parties (ROFF), the Norwegian Insurance Central Claims Register (FOSS), different health professionals and other specialists such as doctors, hospitals, chiropractors and providers such as garages and assessors.
Other relevant sources can be witnesses, counterparties in claims cases and lawyers.
We also cooperate with insurance mediators and partners who sell our products. If you purchase insurance via a mediator where we are the insurance distributor, we obtain your personal data from our agents. See an overview of the agents we use.

We inform you
You will be informed if we obtain information about you, unless its collection is regulated by law, notification is impossible or disproportionally difficult or there is no doubt that you already know the information to be contained in the notification.

Gjensidige is subject to a duty of secrecy concerning customer data. If the law permits, Gjensidige can make your data available to others.

We enter into data processor agreements with all the undertakings that process personal data on our behalf. Our data processors cannot process your personal data in any other way than that agreed with us, and described in this privacy statement. We use data processors, among other things, as suppliers of ICT services.

Disclosure of personal data to third countries outside the EU/EEA
Gjensidige processes your personal data within the EU/EEA area. It may be necessary to transfer your personal data to a country outside the EU/EEA area (third country transfer), for example to perform ICT services. We will in such case ensure that data protection is expediently safeguarded by entering into agreements with suppliers based on contracts that guarantee an adequate level of protection, e.g. the EU Commission’s standard contract for transfers to third countries or by ensuring that suppliers meet the requirements of special certifications, e.g. EU-US Privacy Shield (if the transfer is to the US).

In special situations and only when necessary, data about you can be transferred to third countries without contracts or certifications being in place that ensure an adequate level of protection and without your consent. If, for example, you become ill or sustain an injury while you are travelling in third countries without such contracts or certifications in place, Gjensidige will be able to transfer information about you and the insurance contract to the hospital, doctors and other medical personnel to ensure that you receive the medical treatment you require.

Processing is necessary to fulfil our contract with you. If the processing covers special categories of (sensitive) personal data, the grounds for such processing is that it is necessary for establishing a legal claim or necessary for protecting your interests in a case where you are not physically or legally able to give your consent.

Gjensidige has a partnership agreement with Tata Consultancy Services (TCS) in India. The company assists Gjensidige with digitalisation, automation and case processing in individual business processes. To facilitate the performance of specific tasks, authorised TCS personnel have access to certain systems containing personal data that will be stored and processed in the EU/EEA. Such remote access is formally deemed to constitute transfer of personal data to a third country. The basis for the transfer is the European Commission’s standard contractual clauses, which are available in multiple languages at EUR-Lex – Access to European Union law. 

Potential customers
If you have received an offer of insurance, but choose not to accept it, we erase your personal data after 30 days, unless we are in dialogue with you about the offer. For customers other than private customers, we delete the personal data after 1 year if the offer is not accepted.

Customers
Your personal data will be processed as long as you have an insurance policy with Gjensidige Forsikring. After a contract with us is terminated, Gjensidige Forsikring will, due to the possibility of future insurance claims that can be traced back to the contract, store the data until the limitation period for the products in question has expired. The limitation periods vary, but if, for example, you have filed a claim with us concerning objects of value, the limitation period is ten years. This means that the information in this case is erased ten years after the expiry of the insurance policy. When the limitation period expires, your personal data will automatically be erased from our systems.

We use automated individual decision-making in Gjensidige. They are important to efficient operations. Profiling can be used in such decisions. If the result of an automated individual decision affects you significantly, you can request a manual assessment of the decision. You will be informed of this in the instances where this right applies.

Purchasing, changing and renewing insurance
When you purchase an insurance policy, we may perform a credit check. This is based on information from a third party. In the event of any payment remarks, we can request an advance payment before activating the insurance. The decision will be automated if you purchase insurance in our online shop, and, where relevant, information about this together with your rights will be provided.

We also calculate insurance prices when providing offers, changes and annual renewal. The calculation of price is an automated process, and profiling makes up part of the process of calculating the right price in relation to the insurance risk. The profiling can include personal data such as age, address, car registration number, type of housing and the number of claims in the past five years. Profiling based on information from a third party may also be used in the price calculation. Calculating the price of insurance and processing personal data are necessary to be able to provide insurance. We also use factors such as age, education and occupation in calculating the price of certain accident and health insurance products.

Calculating the price of insurance and processing personal data are necessary to be able to provide insurance.

Claims reports and processing
Some automated decisions are made in connection with the processing of claims. The decisions will be based on the company’s insurance terms, what the insurance covers and the information you give us in the claims form. If a case is decided based on automated processing, you will be given information about the outcome of the decision and your rights that arises.

The Personal Data Act gives you a number of rights when we process your personal data. Below, we describe the rights, when they apply and how you can exercise these rights.

Please note that exercising some of the rights can affect our opportunity to deliver the product and services to you, or deliver it in the same way. One example of this is where consent is required to process certain data in a contract, and where we use data about you to adapt the advice and offers you receive.

Access
You have right of access to see which parts of your personal data we process and you have the right to be given a copy of these personal data. By logging in to www.gjensidige.no you can access more of the information we have registered on you. When logged in you can manage your contact details, family, bank account, reservations and consents etc. You can also view information in previous and ongoing claims. For further information you can contact us to gain access to the data we have about you. See our contact information here.

Correction
If you believe that the personal data we have about you is incorrect or incomplete, you have the right to ask that the personal data be corrected or updated.

Erasure
You can ask for your personal data to be erased if:

If you believe that the personal data are no longer necessary for the purpose we obtained them for
you wish to withdraw a consent given to us, and there is no other legal ground for the processing
the processing of the personal data is in breach of applicable laws
We are obliged to store personal data about you for a given period if you have taken out insurance with us with a limitation period. In such cases, data must be stored about you due to the possibility of future claims for compensation that can be traced back to the contract. The right to erase your personal data does not apply in such cases.

Restricting processing of personal data
You also have the right to request that the processing of your personal data be restricted if you believe that:

the data we have about you are incorrect
if we do not need the personal data for the purposes they were collected for, but you need them to establish, exercise or defend a legal claim
the processing of the personal data is in breach of applicable laws.

Objecting to processing
If the lawful basis for processing your personal data are based on our legitimate interest, you can object to the processing if there are special reasons linked to your individual situation. This does not apply if we can present compelling legitimate reasons for processing the data.

Objecting to processing for marketing purposes
You have an unconditional right to object to your personal data being processed for direct marketing purposes.

Withdrawing consent
If the processing of your personal data in based on your consent, you have the right at all times to withdraw your consent. Withdrawing your consent does not affect the legality of our use of your personal data prior to the withdrawal of consent.

You can contact us to change your concent. See our contact information here.

Portability
You have the right to be given a copy of the personal data that you have provided to Gjensidige. The copy can be forwarded in a structured, commonly used and machine-readable format (data portability). The right to data portability is different from the right to access in that you have the right to access personal data that you have given us yourself and that are processed under certain legal grounds, for example to enter into or to fulfil a contract with you. 

You can contact us to get a copy of your personal data. See our contact information here.

Complaints
You can contact us if you have questions about how we have processed your personal data. If you wish to file a complaint, you can contact our data protection officer who will investigate the matter. You can also file a complaint with the Norwegian Data Protection Authority.

How you can exercise your rights
If you would like to exercise your data protection rights, you can log into your personal area at www.gjensidige.no. There, you will find a lot of the data we have about you and you can request further access. You can also correct or add personal data, and ask to be sent personal data about you that you have given us yourself. You will find these choices under ‘My data’ in the menu on your login area.

When you log into your area on our website, you can also change any consent you have given. We handle any consent that cannot be administered via the login area under the individual processes where you have given your consent. An example of this is the collection of personal data in connection with the settlement of your claim. If we need your consent to use your personal data in other cases, we will inform you of this during the process.

You can contact us to ask for your personal data to be erased. See our contact information here.

Notify us of any personal data breaches
A breach is processing of personal data that deviates from laws, internal rules or arise as a result of technical errors. A deviation is constituted by unintended or unlawful disclosure or access to personal data, or by personal data falling into the wrong hands. Please notify us if you become aware of such breaches taking place.

Changes in the privacy statement
We regularly update the privacy notice to ensure it provides correct information about how we process personal data.

Last updated october 22.

Hvis du vil bruke personvernrettighetene dine kan du logge inn på eget område på www.gjensidige.no. Der vil du finne en god del av den informasjonen vi har om deg, og be om ytterligere innsyn. Du kan også rette eller legge til personopplysninger, og be om å få utlevert de personopplysningene om deg selv som du har gitt til oss. Du finner disse valgene under «Mine data» i menyen på det innloggede området ditt.

Når du logger inn på nettsidene våre kan du også endre samtykkene dine. Samtykker som ikke kan administreres via innlogget side håndterer vi i de enkelte prosessene hvor du har gitt samtykke. Et eksempel på dette er innhenting av personopplysninger i forbindelse med oppgjør av skadesaken din. Hvis det er andre tilfeller der vi trenger samtykke til å bruke personopplysningene dine vil vi opplyse om det i forbindelse med gjennomføring av prosessen.

Du kan be om sletting av personopplysningene dine ved å sende oss en henvendelse.

Dersom du ikke bruker innloggede sider kan du ringe oss, se kontaktinformasjonen vår her.

Si ifra om brudd på personvernet

Et brudd er behandling av personopplysninger som avviker fra lover, interne regler eller som følge av tekniske feil som kan oppstå. Dersom en utilsiktet eller ulovlig utlevering eller tilgang til personopplysninger har skjedd, eller dersom personopplysninger er på avveie, så har et avvik skjedd. Si gjerne i fra til oss dersom du blir oppmerksom på slike brudd.

Endringer i personvernerklæringen

Vi oppdaterer personvernerklæringen regelmessig for å gi deg korrekt informasjon om hvordan vi behandler personopplysninger.