This Privacy Policy (hereinafter – the Policy) regulates the processing of personal data by ERGO Insurance SE Lithuanian branch and ERGO Life Insurance SE (hereinafter – ERGO or we): the purposes and grounds for data processing, the provision and receipt of data, data storage periods, the rights of data subjects, information about the data controller and its contact details, etc.

This Policy is intended for data subjects (hereinafter – the data subjects or you) whose personal data is processed by ERGO, including data subjects who use or intend to use ERGO services or visit websites: www.ergo.lt, www.online.ergo.lt, www.mano.ergo.lt. 

ERGO processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – the Regulation), the Law on Legal Protection of Personal Data, the Law on Insurance, the Law on Compulsory Insurance against Civil Liability in Respect of the Use of Motor Vehicles, the Law on Electronic Communications, the Law on the Prevention of Money Laundering and Terrorist Financing, and other legal acts regulating the processing and protection of personal data, as well as the instructions, explanations, and recommendations of data protection supervisory authorities.

ERGO takes the necessary technical and organizational measures to ensure adequate protection of personal data against accidental disclosure, alteration, or other unlawful processing of personal data.

Personal data – any information relating to an identified or identifiable natural person.

Data subject – a natural person whose personal data is processed by ERGO.

Data processing – any operation performed on personal data, whether by automated means or not, such as collection, recording, transmission, storage, etc.

Data controller – ERGO Insurance SE, registration address: Veskiposti 2/1, 10138 Tallinn, Estonia, company code 10017013, including the head office in Estonia and branches in Lithuania and Latvia, operating in Lithuania through ERGO Insurance SE Lithuanian Branch, address: Geležinio Vilko g. 6A, LT-03150 Vilnius, Lithuania, code 302912288, email: info@ergo.lt and ERGO Life Insurance SE, registration address: Geležinio Vilko g. 6A, LT-03507 Vilnius, Lithuania, company code 110707135, email: info@ergo.lt, including the head office in Lithuania and branches in Latvia and Estonia. ERGO Data Protection Officer’s email address: asmensduomenys@ergo.lt.

Data processor – a natural or legal person who processes personal data on behalf of the data controller and in accordance with the instructions and guidelines.

Main categories of personal data processed by ERGO (list is non-exhaustive):
 

• identification data, such as first name, last name, personal identification number, date of birth;
• contact details, such as address, email address, telephone number;
• data on insurance objects, depending on the type of insurance, e.g., vehicle make, model, licence plate number, identification number, immovable property address, property identification number, area;
• data for assessing insurance risk, depending on the type of insurance, e.g., driving experience, driver’s discipline history, credit rating, travel destination, purpose, participation in sports, leisure activities;  
• data on insurance contracts concluded, such as the type of insurance contract, number, dates of conclusion and validity, amount of premium;-    data on insurance contracts concluded, such as the type of insurance contract, number, dates of conclusion and validity, amount of premium;
• data related to (non-)insured events, such as the date and time of the event, circumstances of the event, damage (losses) incurred, data on services provided;
• financial data, such as account number, bank, payments made or overdue, source of income;
• health data, such as health status recorded in medical documents, treatment applied, illnesses;
• communication and customer service information, such as login and other data about browsing ERGO website and self-service website, telephone call recordings, correspondence with ERGO, and data on satisfaction with the services provided;
• video footage data;
• data for the purposes of complying with obligations under the Law on the Prevention of Money Laundering and Terrorist Financing, the Law on International Sanctions, legal requirements in the field of tax administration, etc.

ERGO collects and further processes your personal data on the following legal grounds.

Processing of personal data based on a contract or request to enter into a contract
ERGO collects and further processes your personal data in order to conclude an insurance contract and/or perform the insurance contract concluded with you, i.e. the legal basis for the processing of personal data most commonly used by ERGO in its relationship with data subjects. If, during the conclusion or performance of an insurance contract, for example, when administering a claim, it is necessary to process special categories data, including health data, ERGO will request the separate consent of the data subject for the processing of the respective personal data. Where personal data is necessary for the conclusion of an insurance contract or the administration of a claim, this means that without the data relating to that event, ERGO will not be able to conclude an insurance contract with you or handle the claim that has occurred. 

Processing of personal data based on a consent of a data subject
Personal data may be processed on the basis of consent, for example, for direct marketing purposes. Consent must be freely given, specific, and unambiguous, providing adequate information about the purpose of the processing of personal data. Health data that is necessary for the conclusion of a contract and/or the administration of claims may also be processed on the basis of consent. You can withdraw your consent by informing us by email at info@ergo.lt or by phone at 1887.

Personal data processing obligation provided for by legal acts
ERGO is required to process personal data by relevant legal acts, such as the Law on Insurance, the Law on the Prevention of Money Laundering and Terrorist Financing, the Law on Compulsory Insurance against Civil Liability in Respect of the Use of Motor Vehicles, the Law on Protection of Whistleblowers, the Law on International Sanctions, the Regulation, and other laws that ERGO is required to comply with and enforce. 

Processing of personal data on the basis of legitimate interest
Personal data must be processed for the legitimate interests of ERGO or a third party (only if the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not override those interests). ERGO’s legitimate interests may include: 
 

• in order to ensure that the obligations assumed under insurance contracts correspond to the risks posed by these contracts, ERGO may process historical insurance contract data to determine and assess the criteria relevant to insurance risk (e.g., the type or characteristics of the property that is associated with an increased insurance risk). On the basis of legitimate interest, data may be processed in order to identify unusual risk cases where automated processes (decisions) regarding the conclusion of insurance contracts cannot be applied;
• the fair and accurate assessment of insurance risk when using certain personal data of the data subject, such as credit rating in motor insurance, for the purpose of ensuring  the calculation of insurance premiums commensurate with the customer's risk and at the same time ensuring the effective management of ERGO's risks in the business of distributing insurance products;
• the proper administration of insurance contracts and the provision of information to policyholders about the validity periods of their insurance contracts, upcoming payment deadlines for payments of premiums under insurance contracts, and overdue payments by means of remote communication; ensuring the continuity of policyholders’ insurance coverage and the continuity of insurance legal relationships by preparing and sending renewals (insurance contract offers) to policyholders whose insurance contracts are expiring;
• the enforcement of ERGO's legitimate claims in order to recover amounts paid and overdue payments under the insurance contract;
• the protection of the interests and property of ERGO employees, customers, and other persons by conducting video surveillance of ERGO premises and territory;
• the reinsurance of insurance risks;
• the assessment and improvement of service quality;
• the prevention and investigation of misconduct and fraud. 

Processing of personal data based on the protection of the vital interests
Data processing is necessary in order to protect the vital interests of the data subject or of another natural person.

ERGO collects and continues to process your personal data only when and only such data as is necessary to achieve the purposes for which it is processed:
 

• for the purpose of identifying the data subject;
• for the purpose of determining the data subject’s needs;
• for the purpose of submitting a proposal to conclude an insurance contract with ERGO;
• for the purpose of determining and assessing criteria relevant to insurance risk;
• for the purpose of assessing insurance risk and calculating the premium;
• for the purposes of concluding, renewing, amending, administering and performing insurance contracts, for example, informing about the end of the contract, the approaching or overdue deadline for payment of the premium, termination of the contract, settlement of insurance premiums, preparation and sending of an insurance contract offer for a new insurance coverage period;
• for the purposes of recording, investigating, and determining the circumstances of (non-)insured events;
• for the purposes of determining the amounts of insurance benefits and their payment;
• for the purpose of reinsurance;
• for the purposes of retaining evidence of your application to us for the conclusion and performance of an insurance contract;
• for the purpose of direct marketing, for the purpose of surveys of customer opinions on the services provided;
• for the purposes of handling complaints, requests from data subjects, and investigating data security incidents;
• for the purpose of recovering amounts paid from persons responsible for the damage, for the purpose of recovering other overdue payments;
• for the purpose of video surveillance of ERGO premises and territory;
• for the purpose of assessing and improving the quality of services,
• for the purposes of preventing and investigating misconduct and fraud;
• for the purpose of ensuring the security of information systems and their network;
• for the purpose of ensuring compliance with regulatory requirements of legal acts and/or instructions of supervisory authorities, for example, the Law on Insurance, the Law on the Prevention of Money Laundering and Terrorist Financing, the Law on International Sanctions, the Law on the Protection of Whistleblowers, FACTA (Foreign Account Tax Act) and CRS (Common Reporting Standard);
• for the purposes of establishing, changing, administering, and maintaining legal relationships with partners, including insurance intermediaries.

ERGO usually obtains personal data from customers themselves, when they submit an application for an insurance contract or a report of an event that may be recognized as an insured event, using the form established by ERGO.
 

In other cases, in order to assess insurance risk, calculate an insurance premium, submit an insurance offer, conclude or extend an insurance contract, and investigate and determine the circumstances of events that may be recognized as insured events and the amount of insurance benefit, we provide and collect your personal data from other sources, such as:
 

• insurance intermediaries (brokerage companies) – identification data, contact details, data on insurance objects, data for assessing insurance risk, data related to (non-) insured events, financial data, health data;  
• public registers, such as SE Centre of Registers, Regitra, AB – identification data,  contact details (address), data on insurance objects, data related to (non-)insured events;
• Motor Insurers’ Bureau – the data for assessing insurance risk (driving discipline history), data related to (non-)insured events;
• Creditinfo Lietuva, UAB – the data for assessing the insurance risk (credit rating);
• Doctors, hospitals, and other medical, healthcare, and nursing institutions established in the Republic of Lithuania and other countries, medical expertise institutions and services operating in the territory of the Republic of Lithuania and other countries, which are required by law to determine disability and working capacity, forensic medical experts, specialists, medical experts, pharmacies – data for assessing insurance risk, data related to (non-)insured events, health data;
• reinsurance partners – the identification data;
• claims handling partners in foreign countries (representatives for claims handling) and other claims handling partners – the identification data, contact details, data on insurance objects, data related to (non-)insured events;
• Tuvlita, UAB – the data on insurance objects;
• motor vehicle repair companies – the data on insurance objects;
• banks, other payment institutions – the identification data, financial data;
• in cases of recourse claims received from other insurance companies – the data related to (non-)insured events;
• personal data processed and provided by law enforcement agencies, judicial authorities, courts, state social insurance and compulsory health insurance institutions, fire, emergency or other services, multi-apartment building administrators, multi-apartment building associations, independent experts, other natural and legal persons for the purposes of ERGO data processing, i.e. for concluding insurance contracts, administering (non-)insured events, etc.

We apply strict requirements for access to health data. ERGO collects and provides customer health data to other persons in the process of concluding insurance contracts and/or administering insured and/or non-insured events only with a written consent of the customer.

ERGO is committed to maintaining confidentiality with regard to the data of its customers and potential customers. Personal data may be disclosed to third parties if this is necessary for the purpose of entering into or performing an insurance contract with a customer, if required by law, or for other legitimate reasons. Information may also be provided to other parties at your request or in accordance with your contractual obligations to other parties, such as banks or other financial institutions.
 

We may disclose your personal data to data processors who provide services to us (carry out work) and process your personal data on behalf and in the interests of ERGO as the data controller, after having entered into a data processing agreement with them.
 

Data processors shall have the right to process personal data only in accordance with our instructions and only to the extent necessary for the proper performance of the obligations set out in the contract. ERGO only uses data processors who provide sufficient guarantees that appropriate technical and organizational measures will be implemented in such a way that data processing complies with the requirements of the Regulation and the protection of the rights of the data subject is ensured.
 

We provide categories of data recipients, including data processors (the list is not exhaustive):
 

• insurance intermediaries, ancillary insurance intermediaries – who process personal data in order to conclude and administer insurance contracts with customers;
• claims administration partners – who process personal data in order to register claims, assess them, ensure expert evaluation, and organize medical, financial, legal, and other assistance in Lithuania or abroad;
• information technology companies – which process personal data to ensure the creation, improvement, and maintenance of information systems;
• reinsurance companies – which process personal data in order to reinsure insurance risks insured by ERGO;
• banks or other financial institutions, leasing companies – which have a legitimate interest in knowing whether the property owned by them or pledged (financed) for their benefit was insured and which are specified as beneficiaries in insurance contracts, as well as banks – to which data is submitted for the purpose of making payments;
• companies that process personal data in order to provide ERGO customer service and other value-added (administration) services;
• companies that process personal data in order to provide ERGO with document scanning, archival document (archive) management and storage services;
• market research and marketing service providers – who help to identify customer opinions and carry out marketing;
• Motor Insurers’ Bureau, State Tax Inspectorate, and other entities to which data provision is required by legal acts;
• other insurance companies in cases of submission of recourse claims; also foreign insurance companies whose representative for the investigation of claims is ERGO;
• debt collection agencies and legal service providers – to whom data is provided in order to recover amounts paid out to persons responsible for damage, overdue payments or to obtain legal advice.

ERGO may also provide customer data in response to requests from courts, law enforcement bodies, or other state institutions, such as the Bank of Lithuania, the State Tax Inspectorate, to the extent necessary to comply with applicable laws and regulations and instructions from public authorities, other data recipients, such as lawyers, bailiffs, etc., under the conditions of lawful data provision (receipt), as well as with the consent or at the request of the data subject.
 

In certain cases, where there is a legal basis, ERGO may also transfer your data to other ERGO Group companies and/or their subsidiaries or receive your data from them. Such cases could include, for example, the provision of insurance services, direct marketing, customer complaint management, supervision of group companies by ERGO Group, implementation of standards set by the ERGO Group, etc.
 

Your personal data, as a rule, shall be processed within the European Union and the European Economic Area. However, in certain cases, it may be transferred outside the European Union and the European Economic Area, for example, when an insured event occurs in another country and we need to collect evidence to support it, or due to the use of external technology solution providers. In such cases, where such data transfer is necessary, it shall be carried out in accordance with the requirements for such data transfer set out in the Regulation. If personal data is transferred to a country that the European Commission has recognized as ensuring an adequate level of personal data protection, such as the United Kingdom, Canada, Japan, etc., such transfer shall comply with the European Union data protection requirements. In other cases, we take all necessary security measures to ensure the proper data transfer, e.g. the signing of the standard contractual clauses. 

We may use profiling in relation to your personal data, making automated decisions based on the information you provide in order to assess personal aspects relating to you for the purpose of assessing insurance risk. Profiling of your personal data shall be carried out when it is necessary for the conclusion or performance of an insurance contract. 
 

Automated decision-making, including profiling, helps ensure that our decisions are made quickly, fairly, effectively, and accurately based on the information we have. ERGO ensures that the assessment methods used are regularly reviewed to ensure their fairness, accuracy, relevance, effectiveness, and impartiality.
 

After performing an automated insurance risk assessment, based on this assessment, the insurance contract may be concluded under the terms and conditions other than those specified in your application, or the conclusion of an insurance contract with you may be refused.
 

After an automated decision has been made, you shall have the right to request a human intervention from ERGO, express your opinion, and challenge the decision. 
 

For some customers, when there are unusual circumstances that are not typical of standard insurance risks, we shall not be able to make an automated decision. In that case, the contract may be concluded after an individual risk assessment.

ERGO personal data shall be processed for no longer than is necessary for its processing purposes. The terms for storing personal data shall be determined according to, or in compliance with, legal acts for as long as reasonable claims may arise from the relationship, as well as taking into account ERGO’s legitimate interest in storing data collected for a specific purpose for a certain period of time. 
 

For example, the personal data we collect that are used for entering into, amending, administering, and performing insurance contracts, assessing insurance risks and calculating premiums, registering and investigating (non-)insured events, identifying circumstances, and determining and paying insurance benefits, shall be stored in printed documents and/or in our information systems. Usually, personal data shall be processed for these purposes for 10 years after the end of the relationship. In cases where an insurance contract offer was made to a customer but the insurance contract was not concluded, the personal data collected for the purpose of preparing the offer shall be stored for 18 months from the date of preparation of the offer. Personal data related to complaints, data subject’s request, and data security incidents shall be stored for 3 years following the date of submission of the response to the complaint or the data subject’s request or the end of the incident investigation. Personal data related to reports of possible violations shall be stored for 5 years from the date of the decision. Your personal data related to consent to the processing of personal data for direct marketing purposes shall be stored for the duration of the consent (usually 5 years, unless the consent is revoked) and for 2 years after the end of the personal data storage period for which the consent was given, etc.
 

Personal data that is no longer required shall be destroyed, erased, or anonymised in such a way that the identity of the data subject cannot be determined, either directly or indirectly.

Ensuring the security of your personal data is very important to us. ERGO has implemented and will continue to implement appropriate organizational and technical measures to ensure the security of your personal data, including protection against unauthorized or unlawful processing of personal data and against accidental loss, destruction, or damage. Activities carried out by ERGO to ensure security, inter alia, include the protection of personnel, information, IT infrastructure, internal and public networks, as well as office buildings and technical equipment. 

You shall have the rights of data subjects as set out below.

The right to access your personal data 

You may apply to us with a request:
 

• to confirm that we process your personal data;
• to provide information about the personal data we process, such as what personal data we collect, for what purpose we process it, to whom we provide it, what the sources of the data are, etc.;
• to provide you with a copy of this data.

The right to request rectification of personal data
If, after reviewing your personal data, you find that it is incorrect, incomplete, or inaccurate, and you contact us, we will verify your personal data and, at your request, correct any inaccurate data and/or supplement any incomplete personal data.

The right to request the deletion of personal data (“right to be forgotten”)

You may contact us with a request to delete your personal data in the following cases:
 

• when it is no longer necessary for the purposes for which it was collected or otherwise processed;
• when you have withdrawn your consent (if the processing of your personal data was based on consent) and there is no other legal basis for processing the data;
• when you have exercised your right to object to our processing of your personal data;
• when you believe that your personal data is being processed unlawfully, etc.

In some cases, we will not be able to comply with your request to delete your personal data when its processing is necessary to comply with a legal obligation under legal acts of the European Union or Republic of Lithuania, as well as in order to establish, exercise, or defend legal claims. 

The right to restrict the processing of your personal data

You may request us to restrict the processing of your personal data, except for storage, where one of the following applies:
 

• you contest the accuracy of the data for a period during which we can verify the accuracy of your personal data;
• the processing of your personal data is unlawful, but you object to the erasure of your personal data and request the restriction of its use instead;
• it is no longer necessary for the personal data processing purposes for which it was collected, but is required by the data subject for the establishment, exercise, or defence of legal claims;
• you have objected to the processing of your data pending verification of whether our legitimate grounds override your grounds.

Due to data processing restrictions and during the period of such restrictions, we may not be able to guarantee the provision of services to you.

The right to the portability of your personal data

You may request us to receive from us personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you may request us to transfer your personal data to another data controller, where technically feasible and when:
 

• the processing of your personal data is based on your consent or on the performance of an insurance contract concluded with you, and
• your personal data is processed by automated means.

The right to object 
You may contact us at any time with a request to object to the processing of your personal data for reasons specific to your situation, where such processing is carried out on the basis of legitimate interest. 
 

ERGO no longer processes personal data, except in cases where the data controller proves that the data is processed for compelling legitimate reasons that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
 

The right related to automated individual decision-making, including profiling

We may use profiling in relation to your personal data, making automated decisions based on the information you provide, in order to assess personal aspects relating to you for the purpose of assessing insurance risk. Profiling of your personal data shall be carried out when it is necessary for entering into or performing an insurance contract.
 

After an automated decision has been made, you shall have the right to request human intervention from ERGO, express your opinion, and contest the decision. 

The right to lodge a complaint regarding the processing of personal data

If you believe that we are processing your personal data in violation of the Regulation and/or other laws governing the processing and protection of personal data, we always ask that you contact us directly first. Our Data Protection Officer’s contact email address is: asmensduomenys@ergo.lt.
 

If you are not satisfied with our suggested solution to the problem or, in your opinion, we have not taken the necessary action in response to your request you may lodge a complaint with the State Data Protection Inspectorate or bring an action before the court. 
 

You can submit a request to exercise your rights of a data subject by visiting ERGO at Geležinio Vilko g. 6A, LT-03150 Vilnius, Lithuania, or at customer service branches, as well as by sending a request by post to ERGO to the address: Geležinio Vilko g. 6A, LT-03150 Vilnius, Lithuania, by email to info@ergo.lt or asmensduomenys@ergo.lt, or via self-service.  When submitting a request to exercise your rights as a data subject, we will need to identify you properly. When submitting a request in person, please provide your personal identity document. When the request is submitted by mail or email, sufficient data must be provided to properly identify you. If it appears that we lack the data necessary to properly identify you, we will contact you in order to obtain the necessary data.
 

Your requests regarding the exercise of your rights shall be processed within one month. Depending on the complexity of the request and the number of requests received, this period may be extended for another two months.

We administer ERGO accounts on social networks such as LinkedIn, Facebook, Instagram, and YouTube. The information we receive when you use these social networks (including messages, use of the “Like” and “Follow” fields, etc.) shall be controlled by the administrator of the respective social network. Social networks and the services accessible through them have their own separate privacy policies, which the social networks are responsible for complying with. Please read these privacy policies before submitting personal data on social networks: LinkedIn Privacy Policy is posted here; Youtube Privacy Policy is posted here; Facebook Privacy Policy is posted here and Instagram Privacy Policy is posted here.

ERGO may amend this Privacy Policy at any time. Please note that after amending the Privacy Policy, it may take some time for such amendments to take effect. If you wish to follow the amendments to the Privacy Policy, please check this section of the website periodically. 
 

If you have any questions or believe that there are no answers to your questions regarding the processing of personal data in this Privacy Policy, please contact us by email at asmensduomenys@ergo.lt or at the address: Geležinio Vilko g. 6A, Vilnius.