Information about the processing of personal data in Gjensidige

We take your personal data seriously, and we want you to feel assured that we protect them expediently. Here, we explain how we collect and use data about you, describe your rights and how you can safeguard your data.

What is personal data?

Personal data are pieces of information that can be linked directly to you as a person, for example your personal ID number, address, phone number etc. We need this type of information in order to provide services to our customers. We process personal data in connection with our provision of insurance services.

What is processing of personal data?

Processing of personal data means, for example, collection, registration, organisation, structuring, storage, adaptation or alteration, retrieval, use, transfer and erasure.

What are lawful bases for processing?

The processing of personal data must be based on legal grounds, known as the lawful basis for processing. Different lawful bases for processing are described in the Personal Data Act. Those most relevant to Gjensidige Forsikring are:

  • that they are necessary to fulfil a contract with the person the personal data concern
  • that the person the personal data concern has given their consent
  • that they are necessary for complying with laws and regulations
  • that we have a legitimate interest in the processing, which is necessary and where the interests of the person the data concern, does not demand protecting.

The data controller

The data controller is the legal entity who decides the purpose of the processing of personal data and what tools are to be used. The data controller is responsible for ensuring that measures are implemented to meet data protection regulations, including requirements being drawn up for internal control and information security.

The legal entity responsible for processing your personal data is Gjensidige Forsikring ASA, Schweigaards gate 21, NO-0191 Oslo, organisation number 995 568 217.

Contact address: Gjensidige Forsikring ASA, P. O. Box 700 Sentrum, NO-0106 Oslo.

Gjensidige Forsikring Norway also does business under the brand Gouda. We also have an official presence in other online sites and applications, see overview of Gjensidige’s official online channels.

Data protection officer

Gjensidige Forsikring has a data protection officer who is tasked with ensuring that the enterprise processes personal data in accordance with applicable laws and regulations.

The data protection officer is also a resource person for customers. If you have any questions about how we use your personal data, or you have any suggestions for us, you can contact the data protection officer at personvernombudet@gjensidige.no, or send a letter to: Gjensidige Forsikring ASA, att./Personvernombudet, P. O. Box 700 Sentrum, NO-0106 Oslo.

How do we use your personal data?

  • Gjensidige Forsikring processes personal data in order to offer you insurance, when you enter into an insurance contract with us, and when you renew your insurance contract.

    You sometimes have to fill in a health declaration in connection with health and life insurance. Health information is considered a special category of (sensitive) personal data. We obtain your consent to process such data upon entering a contract with you. The data we obtain are necessary to enter the contract. If you do not give us the information, the insurance contract cannot be entered.

    If it is a condition that you are a member of a trade union to be entitled to an offer from us, we obtain your consent to process the information that you are a member of a trade union. The consent is obtained when entering the contract and/or when the insurance contract is renewed. This data must be processed for you to be entitled to membership benefits and to receive adapted products. If you do not want us to process data about your trade union membership, you can apply for insurance on ordinary terms.

    Lawful basis for processing

    Processing personal data is necessary to enter into and fulfil the contract with you, or implement measures at your request before entering into a contract.

    If special categories of (sensitive) personal data have to be processed to enter into a contract, we will ask for your consent to this.

  • We process your personal data to safeguard the customer relationship. Our customers are registered in a customer register. We communicate with you about changes in our insurance policies, changes in our terms and conditions, changes in our electronic services and to provide other important information. We process personal data in order to invoice and manage the contracts we have with you, such as insurance- and assistance services.

    Lawful basis for processing

    Processing personal data is necessary to fulfil our contract with you.

    If we have to process special categories of (sensitive) personal data to fulfil the agreement with you, we will ask for your consent.

  • Gjensidige is a financial group comprising several companies, and the financial group has a joint customer register for the financial undertakings. This includes pensions and insurance. The purpose of the group customer register is to manage customer relationships and to coordinate the advice and services offered by the different companies in the group.

    The group customer register contains general information about you such as your name, date of birth, address and contact information, information about which group company you are a customer of and which services and products you have purchased. Your personal ID number can be disclosed to and registered in the joint group customer register for the purpose of managing the customer relationship.

    Lawful basis for processing

    Gjensidige has a legitimate interest in managing customer relationships and coordinating the advice and services provided by the different companies in Gjensidige.

  • When we receive enquiries from you, we use data about you to respond to your enquiry. This can, for example, concern questions about our products and services, and applies whether the enquiry is made by phone, email or chat.

    Lawful basis for processing

    Gjensidige has a legitimate interest in providing good information and answering your questions.

  • We process personal data in connection with claims, including assessing, processing and settling claims. We can also use health information when it is necessary to assess a claim.

    Lawful basis for processing

    Processing personal data is necessary to fulfil our contract with you.
    In connection with claims processing, Gjensidige also has a legitimate interest in processing data about people who are not customers, for example witnesses or claimants.

    We process special categories of (sensitive) personal data when necessary to process and settle a claim. The basis for such processing is that it is necessary in order to establish a legal claim.

  • We process personal data to prevent and detect possible criminal offences, for ex-ample fraud against Gjensidige Forsikring. Such processing includes profiling which can form the basis for a claim being selected for inspection. Contact with Gjensidige, also activity on logged-in pages, can be used for this purpose. Claims sent for inspection arte manually processed by a case manager.

    Gjensidige Forsikring processes personal data in order to prevent and uncover transactions linked to the proceeds of criminal acts or linked to the financing of terrorism. The Money Laundering Act requires Gjensidige Forsikring to investigate and report suspicious transactions to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim).

    Lawful basis for processing

    Gjensidige is obliged to prevent and uncover transactions linked to the proceeds of criminal acts or linked to the financing of terrorism in order to fulfil its legal obligations.

    Gjensidige Forsikring has a legitimate interest in protecting itself against criminal acts and ensuring that settlements are correct.

  • Gjensidige Forsikring uses personal data to be able to provide information, relevant advice and market its products and services. To be able to reach you with the right message, at the right time and through the right channel, the message can be adapted to you through profiling and segmentation. We do this by utilising mathematical models, data we have about you and information we receive from third parties.

    If you discontinue a price calculation in the online shop, we may contact you to give you an offer based on this price calculation. If you are not a customer and have opted out of receiving telephone sales calls etc. through the reservation register in the Brønnøysund Register Centre, we will not contact you. You can also contact us to opt out of receiving such calls.

    We request the consent of those who are not our customers before we send electronic marketing, for example, through channels such as emails or text messages. In such marketing, we ensure that you can simply choose not to be sent electronic communication in future.

    Lawful basis for processing

    If you have a customer relationship with Gjensidige Forsikring, the processing of your personal data will be based on Gjensidige Forsikring’s legitimate interest in giving you information and offers. You can choose not to receive such information at any time.

    If you do not have a customer relationship with us, Gjensidige Forsikring has a legitimate interest in marketing its products and services, as long as you have not opted out of such marketing through us or through the reservation register in the Brønnøysund Register Centre.

    Gjensidige Forsikring can otherwise only use personal data to send you information and offers if you have requested this.

  • We process personal data in order to perform market and customer satisfaction surveys and analyses of the responses, for example when we ask if you are satisfied after speaking to us or after the settlement of a claim. We also process personal data in order to improve the quality of our services and products and in connection with training our employees.

    Lawful basis for processing

    Gjensidige Forsikring has a legitimate interest in obtaining information about how we are perceived as a company, and your and others’ opinions about our products, services and customer service.

    By responding to customer and market surveys, you consent to us processing the data.

  • We process personal data when we carry out analyses, for example by stipulating price levels (tariffing), profitability analyses and in connection with the development of products and services.

    Lawful basis for processing

    The processing is necessary to fulfil legal obligations required of the company pursuant to relevant insurance and financial institution law and regulations. Gjensidige Forsikring has a legitimate interest in processing personal data in order to carry out customer analyses to increase insight.

  • When you are in contact with us by telephone, we sometimes want to record the conversation. This is done in order to improve our service to you as a customer, as well as document what has been agreed. Recording is voluntary, and you will be informed in advance and given the opportunity to decline. Such recordings can be stored for up to 2 years.   

    Lawful basis for processing
    You consent to call recording by not declining the request. Gjensidige Forsikring has a legitimate interest in processing personal data in order to carry out customer analyzes for increased customer insight. 

  • Gjensidige Forsikring processes personal data where necessary to meet official requirements and comply with laws, including those relating to insurance undertakings and insurance products, measures to counteract money laundering and terrorism, reporting to official authorities, legal orders, security requirements and responses to requests from official authorities.

    Lawful basis for processing

    The processing is necessary in order to fulfil legal obligations required of the company.

  • We process your personal data in order to establish, exercise or defend legal claims, for example in connection with handling complaints, recourse claims and legal processes.

    Lawful basis for processing

    The processing is necessary in order to safeguard Gjensidige Forsikring or a third party’s legitimate interest in establishing, exercising or defending legal claims.

    If the processing of special categories of (sensitive) personal data is necessary in order to safeguard the purpose, the lawful basis for processing is that it is necessary to establish, exercise or defend a legal claim.

  • We process your personal data in order to secure Gjensidige’s assets, for example in connection with logging onto servers, operating infrastructure, firewalls, access control and camera surveillance.

    Lawful basis for processing

    Gjensidige Forsikring has a legitimate interest in maintaining operational reliability.

  • We process your personal data in order to identify the potential demand for new products and services or to improve existing products and services, for example analyses and testing in connection with development.

    Lawful basis for processing

    Gjensidige Forsikring has a legitimate interest in developing new and existing products and services.

Processing of special categories of (sensitive) personal data

Gjensidige processes some special categories of personal data. The most common categories are health information and information about trade union membership.

Health information

Gjensidige Forsikring processes health information when necessary, for example, when issuing health and life insurance policies, and in connection with claims and settlement. Health information is considered to be a special category of (sensitive) personal data in the Personal Data Act, and special rules apply to the processing of such data. If health information is required to conclude a contract, we will obtain your consent on conclusion of the contract. If you do not give your consent, the insurance contract cannot be entered.

Health information can also be processed where necessary related to the development of tariffs, in analyses linked to solvency and capital adequacy requirements etc. The processing is necessary in order to fulfil Gjensidige’s legal obligations, stipulated to safeguard important public interests.

Lawful basis for processing

If special categories of (sensitive) personal data is processed to enter into a contract, we will ask for your consent to this.

As a financial undertaking, Gjensidige Forsikring is obliged, among other things, to monitor the value of assets, provisions and risk, and to calculate capital requirements. This processing is necessary in order to fulfil legal obligations required of the undertaking, stipulated to safeguard important public interests.

We also process special categories of (sensitive) personal data when necessary to process and settle a claim. The legal basis for such processing is that it is necessary in order to establish a legal claim.

Information about trade union membership

Gjensidige has cooperation agreements with different clubs, associations and organisations, and these agreements entitle the members to benefits and adapted products. Trade union membership is considered a special category of (sensitive) personal data in the Personal Data Act, and specific rules apply to the processing of such data. If relevant, we will obtain your consent to process data about trade union membership. The consent is obtained when entering the contract and/or when the insurance contract is renewed. This data must be processed for you to be entitled to membership benefits and to receive adapted products. If you do not wish us to process data about your trade union membership, you can apply for insurance on ordinary terms.

If you consent to us processing data about your trade union membership, the data can be used internally in our customer follow-up, for example in analyses and when we customise offers. We never share data about your trade union membership with third parties without your consent.

Lawful basis for processing

The processing of data about trade union membership is based on the consent of the person concerned.

Collection of personal data

What personal data do we collect?

The personal data we collect depends on your relationship with us. You may be a policyholder, a beneficiary who is not a policyholder, a claimant, witness, agent, health professional or other service provider, appointed representative or another person linked to Gjensidige. What personal data we collect also depends on what insurance policies you have with us. The personal data we collect can include;

General identification and contact information such as: Name, address, telephone number, email address, gender, family status, date of birth, children, educational background, and relationship with the policyholder, the insured party or the claimant.

Other identification numbers issued by public authorities such as: Date of birth, vehicle registration number, driving licence number and passport number.
Financial information: Income information, payment card number, account number and account information, credit history, creditworthiness, assets, property and other financial information.

Health information: For some of our services, we need to collect and process special categories of personal data, for example health information. This could be information that could typically be found in a doctor's patient records, i.e. information about current or previous physical or mental health conditions, health status, information about injuries, functional impairments, operations, personal habits (smoking, alcohol consumption), prescription information, case history, ability to work, sickness absences and family case history.

Other special categories of personal data: Information about trade union membership.

Information that is required in order to deliver products and services, such as: Addresses and ID information for insured assets (a property’s address or a vehicle’s registration number), information about previous accidents or claims, cause of damage, position as board member or partner, or other ownership or management interests in an undertaking and information about other policies you hold.

We refer to our page regarding security on our website where you can read about, among other things, the electronic traces we log.

We also use cookies on our website. Read more about what cookies are and how we use them.

The sources we obtain personal data from

The source your data comes from depends on your relationship with us. If you are a customer, agent, health professional or another of our service providers, we generally obtain data directly from you. Sometimes we obtain information from other parties, for example public or private institutions.

For example, if you are a claimant, beneficiary who is not a policyholder or witness, we may have received or obtained information from public or private institutions or others in connection with the purchase of insurance or settling a claim.

Relating to the purchase of insurance, or changing or renewing insurance, we can obtain information from among others:

  • Public institutions and registers, such as: The Population Register, the Tax Register, the Brønnøysund Register Centre, the Property Register and the Central Register of Motor Vehicles. 
  • Other private institutions: banks and credit companies, other insurance companies, the register of insurance applicants and insured parties (ROFF), the joint register of motor insurance associations (TFF Auto) and other partners that sell insurance products directly to customers.
  • Other relevant sources can be employers (for those with group insurance policies) or guardians.

Regarding claims settlements, it may also be relevant to obtain information from: 

  • Public institutions including the police, the Norwegian Labour and Welfare Administration (NAV), the tax authorities, the courts and the Brønnøysund Register Centre.
  • Other private institutions such as other insurance companies, banks and credit companies, the register of insurance applicants and insured parties (ROFF), the Norwegian Insurance Central Claims Register (FOSS), different health professionals and other specialists such as doctors, hospitals, chiropractors and providers such as garages and assessors.
  • Other relevant sources can be witnesses, counterparties in claims cases and lawyers.

We also cooperate with insurance mediators and partners who sell our products. If you purchase insurance via a mediator where we are the insurance distributor, we obtain your personal data from our agents. See an overview of the agents we use.

We inform you

You will be informed if we obtain information about you, unless its collection is regulated by law, notification is impossible or disproportionally difficult or there is no doubt that you already know the information to be contained in the notification.

Disclosure of your personal data

Gjensidige is subject to a duty of secrecy concerning customer data. If the law permits, Gjensidige can make your data available to others.

  • he companies in the Gjensidige Group are subject to a duty of secrecy concerning customer data. Gjensidige has a group customer register that contains general information about you such as your name, date of birth, address and contact information, information about which company you are a customer in and which services and products you have purchased. We can enter your personal ID number in Gjensidige’s joint customer register for the purpose of managing customer relations.

    We will not share other data for use in offering advice, offers and marketing unless you have given your consent.

  • We can disclose personal data to third parties if it is deemed necessary to perform a task relating to fulfilling your contract with us. We only do this when it is permitted by law and when it does not violate our duty of secrecy. For example, we can disclose personal data to clients who deliver damage limitation and remedy services and to independent craftsmen. Relevant sub-contractors include assessors, craftsmen and workshops, and different health professionals such as chiropractors, doctors and physiotherapists.

  • We share personal data with other insurance companies in connection with, for example, recourse claims after a claim has been decided. The insurance company that receives the personal data is the controller for its own processing of the data when they deal with the recourse claim.

  • When using insurance mediation through our agents, we share personal data to enable the insurance mediator to check our calculation of the insurance mediator’s commission. The insurance mediator is the controller responsible for their own processing of personal data for this purpose.

  • All companies that sell health and life insurance share some personal data in a joint register (ROFF) that is administered by Finance Norway, an industry organisation for the financial industry in Norway. The register does not contain special categories of (sensitive) personal data. The purpose of the register is, among other things, to reduce the likelihood of inadequate or incorrect information or insurance fraud.

    In order to prevent and limit insurance fraud in connection with claims reports and settlements, the insurance companies have a joint claims register (FOSS). The register is administered by Finance Norway. When a customer reports a claim to us, the claim is also reported to this register. We then receive the customer’s complete claims history from the register, regardless of the insurance company.

    You will be notified when the information is registered in ROFF or FOSS.

  • Money laundering is the process of transforming the proceeds of crime into legitimate assets. Gjensidige Forsikring has a duty to prevent and combat money laundering and to prevent people from using the company for laundering the proceeds of crime. The same applies to financing of terrorism.

  • In some cases, we are required by law to disclose data to other parties, and such disclosure obligations have precedence over the duty of secrecy. This applies to, among other things, disclosure to the tax authorities and to the Norwegian Labour and Welfare Administration (NAV). We may also be subject to a disclosure obligation in relation to the police, courts, lawyers/administrative receivers and the supervisory authorities. In such cases, information about you may be disclosed without your consent.

Use of data processors

We enter into data processor agreements with all the undertakings that process personal data on our behalf. Our data processors cannot process your personal data in any other way than that agreed with us, and described in this privacy statement. We use data processors, among other things, as suppliers of ICT services.

Disclosure of personal data to third countries outside the EU/EEA

Gjensidige processes your personal data within the EU/EEA area. It may be necessary to transfer your personal data to a country outside the EU/EEA area (third country transfer), for example to perform ICT services. We will in such case ensure that data protection is expediently safeguarded by entering into agreements with suppliers based on contracts that guarantee an adequate level of protection, e.g. the EU Commission’s standard contract for transfers to third countries or by ensuring that suppliers meet the requirements of special certifications, e.g. EU-US Privacy Shield (if the transfer is to the US).

In special situations and only when necessary, data about you can be transferred to third countries without contracts or certifications being in place that ensure an adequate level of protection and without your consent. If, for example, you become ill or sustain an injury while you are travelling in third countries without such contracts or certifications in place, Gjensidige will be able to transfer information about you and the insurance contract to the hospital, doctors and other medical personnel to ensure that you receive the medical treatment you require.

Processing is necessary to fulfil our contract with you. If the processing covers special categories of (sensitive) personal data, the grounds for such processing is that it is necessary for establishing a legal claim or necessary for protecting your interests in a case where you are not physically or legally able to give your consent.

Gjensidige has a partnership agreement with Tata Consultancy Services (TCS) in India. The company assists Gjensidige with digitalisation, automation and case processing in individual business processes. To facilitate the performance of specific tasks, authorised TCS personnel have access to certain systems containing personal data that will be stored and processed in the EU/EEA. Such remote access is formally deemed to constitute transfer of personal data to a third country. The basis for the transfer is the European Commission’s standard contractual clauses, which are available in multiple languages at EUR-Lex – Access to European Union law. 

How long do we store your personal data?

Potential customers

If you have received an offer of insurance, but choose not to accept it, we erase your personal data after 30 days, unless we are in dialogue with you about the offer. For customers other than private customers, we delete the personal data after 1 year if the offer is not accepted.

Customers

Your personal data will be processed as long as you have an insurance policy with Gjensidige Forsikring. After a contract with us is terminated, Gjensidige Forsikring will, due to the possibility of future insurance claims that can be traced back to the contract, store the data until the limitation period for the products in question has expired. The limitation periods vary, but if, for example, you have filed a claim with us concerning objects of value, the limitation period is ten years. This means that the information in this case is erased ten years after the expiry of the insurance policy. When the limitation period expires, your personal data will automatically be erased from our systems.

Automated individual decision-making

We use automated individual decision-making in Gjensidige. They are important to efficient operations. Profiling can be used in such decisions. If the result of an automated individual decision affects you significantly, you can request a manual assessment of the decision. You will be informed of this in the instances where this right applies.

Purchasing, changing and renewing insurance

When you purchase an insurance policy, we may perform a credit check. This is based on information from a third party. In the event of any payment remarks, we can request an advance payment before activating the insurance. The decision will be automated if you purchase insurance in our online shop, and, where relevant, information about this together with your rights will be provided.

We also calculate insurance prices when providing offers, changes and annual renewal. The calculation of price is an automated process, and profiling makes up part of the process of calculating the right price in relation to the insurance risk. The profiling can include personal data such as age, address, car registration number, type of housing and the number of claims in the past five years. Profiling based on information from a third party may also be used in the price calculation. Calculating the price of insurance and processing personal data are necessary to be able to provide insurance. We also use factors such as age, education and occupation in calculating the price of certain accident and health insurance products.

Calculating the price of insurance and processing personal data are necessary to be able to provide insurance.

Claims reports and processing

Some automated decisions are made in connection with the processing of claims. The decisions will be based on the company’s insurance terms, what the insurance covers and the information you give us in the claims form. If a case is decided based on automated processing, you will be given information about the outcome of the decision and your rights that arises.

Your rights

The Personal Data Act gives you a number of rights when we process your personal data. Below, we describe the rights, when they apply and how you can exercise these rights.

Please note that exercising some of the rights can affect our opportunity to deliver the product and services to you, or deliver it in the same way. One example of this is where consent is required to process certain data in a contract, and where we use data about you to adapt the advice and offers you receive.

Access

You have right of access to see which parts of your personal data we process and you have the right to be given a copy of these personal data. By logging in to www.gjensidige.no you can access more of the information we have registered on you. When logged in you can manage your contact details, family, bank account, reservations and consents etc. You can also view information in previous and ongoing claims. For further information you can contact us to gain access to the data we have about you. See our contact information here.

Correction

If you believe that the personal data we have about you is incorrect or incomplete, you have the right to ask that the personal data be corrected or updated.

Erasure

You can ask for your personal data to be erased if:

  • you believe that the personal data are no longer necessary for the purpose we obtained them for
  • you wish to withdraw a consent given to us, and there is no other legal ground for the processing
  • the processing of the personal data is in breach of applicable laws

We are obliged to store personal data about you for a given period if you have taken out insurance with us with a limitation period. In such cases, data must be stored about you due to the possibility of future claims for compensation that can be traced back to the contract. The right to erase your personal data does not apply in such cases.

Restricting processing of personal data

You also have the right to request that the processing of your personal data be restricted if you believe that:

  • the data we have about you are incorrect
  • if we do not need the personal data for the purposes they were collected for, but you need them to establish, exercise or defend a legal claim
  • the processing of the personal data is in breach of applicable laws.

Objecting to processing

If the lawful basis for processing your personal data are based on our legitimate interest, you can object to the processing if there are special reasons linked to your individual situation. This does not apply if we can present compelling legitimate reasons for processing the data.

Objecting to processing for marketing purposes

You have an unconditional right to object to your personal data being processed for direct marketing purposes.

Withdrawing consent

If the processing of your personal data in based on your consent, you have the right at all times to withdraw your consent. Withdrawing your consent does not affect the legality of our use of your personal data prior to the withdrawal of consent.

You can contact us to change your concent. See our contact information here.

Portability

You have the right to be given a copy of the personal data that you have provided to Gjensidige. The copy can be forwarded in a structured, commonly used and machine-readable format (data portability). The right to data portability is different from the right to access in that you have the right to access personal data that you have given us yourself and that are processed under certain legal grounds, for example to enter into or to fulfil a contract with you. 

You can contact us to get a copy of your personal data. See our contact information here.

Complaints

You can contact us if you have questions about how we have processed your personal data. If you wish to file a complaint, you can contact our data protection officer who will investigate the matter. You can also file a complaint with the Norwegian Data Protection Authority.

How you can exercise your rights

If you would like to exercise your data protection rights, you can log into your personal area at www.gjensidige.no. There, you will find a lot of the data we have about you and you can request further access. You can also correct or add personal data, and ask to be sent personal data about you that you have given us yourself. You will find these choices under ‘My data’ in the menu on your login area.

When you log into your area on our website, you can also change any consent you have given. We handle any consent that cannot be administered via the login area under the individual processes where you have given your consent. An example of this is the collection of personal data in connection with the settlement of your claim. If we need your consent to use your personal data in other cases, we will inform you of this during the process.

You can contact us to ask for your personal data to be erased. See our contact information here.

Notify us of any personal data breaches

A breach is processing of personal data that deviates from laws, internal rules or arise as a result of technical errors. A deviation is constituted by unintended or unlawful disclosure or access to personal data, or by personal data falling into the wrong hands. Please notify us if you become aware of such breaches taking place.

Changes in the privacy statement

We regularly update the privacy notice to ensure it provides correct information about how we process personal data.

Last updated october 22.