The processing and protection of personal data

Information memorandum of HARPAG sro regarding the processing and protection of personal data

I. Basic provisions
1. The personal data controller pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as: "GDPR”) is HARPAG sro, ID: 27411141, with registered office at: Cukrovarnická 838/57, 162 00, Prague 6 (hereinafter referred to as: “administrator").
2. The contact details of the administrator are
address: HARPAG sro, Cukrovarnická 838/57, 162 00, Prague 6, Czech Republic email:
info@harpag.cz
phone: +420 241 490 092
3. Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. The controller has not appointed a data protection officer.
II. Sources and categories of processed personal data
1. The administrator processes personal data that you have provided to him or personal data that the administrator has obtained on the basis of legitimate interest from another administrator.
2. The administrator processes personal data, such as name, surname, social security number, date of birth, residential address, telephone number, e-mail address and other personal data related to the preparation, conclusion of an insurance or other contract or settlement of a claim. These are necessary identification and contact data. If necessary for the conclusion of a contract or settlement of an insured event, we may also process data relating to health.

III. Legal basis and purpose of processing personal data
1. The lawful reason for processing personal data is
- the legitimate interest of the controller in the mediation and administration of an insurance or other financial contract, or other services directly related to the conclusion of such a contract or the liquidation of a damage event (e.g. vehicle inspection, glass marking, vehicle repair, liquidation of the consequences of a damage event)
2. The purposes of processing personal data are
- risk analysis and assessment, preparation and conclusion of an insurance contract, insurance contract administration, cooperation in the settlement of claims and insured events
- preparation and mediation or conclusion and administration of other financial contracts, e.g. building savings, pension savings, trust fund, loan, leasing
- direct marketing of the controller, sending its advertising messages and offering services. You have the right to object to such processing at any time
- processing of selected personal data for the purposes of the strategic development of the controller and processor, and for the purposes of scientific research in the field of insurance and financial markets. You have the right to object to such processing at any time
3. The controller does not make any automatic individual decision-making within the meaning of Article 22 of the GDPR.

IV. Data retention period
1. The administrator stores personal data:
- for the period necessary to exercise the rights and obligations arising from the contractual relationship and to assert claims from these contractual relationships, or for the period imposed by other legal regulations even after the termination of the contractual relationship (e.g. mandatory archiving period). for the period until consent to the processing of personal data for marketing purposes is revoked, up to 15 years if personal data are processed on the basis of consent for the period until the consent to the processing of selected personal data for the purposes of the strategic development of the controller and processor and for the purposes of scientific research in the insurance market is revoked, for a maximum of 15 years if the personal data are processed on the basis of consent
2. After the expiry of the personal data retention period, the controller will delete the personal data in electronic form and destroy it in paper form.

V. Recipients of personal data (subcontractors of the controller)
1. The administrator transfers personal data to other administrators, but only if the nature of the service provided requires it, these are in particular insurance companies, building societies, pension funds, credit companies, car repair shops, construction companies, agencies dealing with the security and surveillance of property and persons.
2. The administrator does not intend to transfer personal data to a third country (a country outside the EU), however, the recipient of the data may also be an international organization based outside the EU (e.g. an insurance company) that is authorized to provide its services in the Czech Republic.

VI. Information about rights
1. Under the conditions set out in the GDPR, it is possible to apply the right to access your personal data pursuant to Article 15 of the GDPR, the right to rectification of personal data pursuant to Article 16 of the GDPR, or restriction of processing pursuant to Article 18 of the GDPR.
the right to erasure of personal data pursuant to Article 17 GDPR.
the right to object to processing pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR.
the right to withdraw consent to processing in writing or electronically to the address or email of the administrator specified in Article I of these terms and conditions.
2. You can also file a complaint with the Office for Personal Data Protection if there is reason to believe that your right to personal data protection has been violated.
3. You may refuse to provide personal data. However, failure to provide relevant data may make it impossible for the administrator to provide the service.

VII. Conditions for securing personal data
1. The Administrator declares that it has taken all appropriate technical and organizational measures to secure personal data.
2. The controller has taken technical measures to secure data repositories and personal data repositories in paper form.
3. The Administrator declares that, in addition to him, only processors authorized by him have access to personal data, i.e. in particular subordinate insurance intermediaries, employees and administrative staff of the Administrator, providers of IT services and security, insurance companies or other providers of intermediary services.