Generali Osiguranje Serbia processes your personal data*
Generali Osiguranje Serbia a.d.o. (“the Company”), with registered headquarters in Belgrade, at Vladimira Popovića No. 8, processes your personal data as the Data Controller*.
If you would like to receive more information, please write to the following address: Generali Osiguranje Serbia a.d.o., Vladimira Popovića No. 8, 11070 New Belgrade, Serbia.
If you have any questions or wish to exercise your rights regarding the processing of your personal data, please contact our Data Protection Officer*:
Why we need your personal data
We process your personal data to provide you with the insurance services you have requested or expect us to provide, including:
We process your personal data for the purposes stated in point 1 to conclude the insurance contract and meet obligations arising from it. If this includes processing special categories of personal data* (such as those concerning your health), the processing of such data is based on your consent*.
We process your personal data for the purposes stated in points 2 and 4 to comply with the legal obligations of the Company.
Your personal data are processed for the purposes stated in points 3, 5 and 8 because of the legitimate interest of the Company in assessing customer satisfaction during the insurance contract, managing customer relations more effectively, preventing and identifying potential insurance-related fraud, providing preventive health protection to customers, informing customers about simplified and faster ways to use the Company’s services and implementing the Generali Group Programme to detect and adequately prevent money laundering and terrorism financing through the use of the Company’s products.
Your personal data is processed for the purpose stated in point 6 based on your request for action related to concluding an insurance contract and submitting complaints. In the case of either positive or negative feedback regarding the Company’s work, the processing of data is based on the Company’s legitimate interest.
Your personal data are processed for the purpose stated in point 7 based on your consent if you are a new or potential customer.
To provide insurance services, we use your personal data for the following purposes:
Why you need to provide us with your personal data
We need to process your personal data to be able to carry out the insurance contract we have concluded with you and comply with our legal obligations.
Failure to provide the requested personal data, as well as providing partially accurate or incomplete data, prevents us from fulfilling our contractual and legal obligations.
What personal data we use
We process only the personal data* that are necessary for the purposes mentioned above. Depending on the requested insurance service, we mainly process:
You provide your personal data to us, directly, or we receive them through third parties (associated companies of Generali Group, lawyers, your employer, or other insurance contractors, insurance intermediaries and representatives, the Association of Serbian Insurers, leasing companies, insured persons, healthcare institutions, etc.).
Who we share your personal data with
Our employees process your personal data following the procedures that ensure an appropriate level of data security and privacy. In this regard, the Company implements ISO27001 standards for information security and a range of other technical protective measures.
We may share your personal data only with authorised third parties who process personal data for the purposes mentioned above. Depending on the type of the processing of data, these are data processors* or joint controllers*.
Our employees and third parties who process your personal data receive explicit instructions on the data processing methods.
Third parties are part of the so-called insurance chain. These are entities that, on various grounds, provide services arising from insurance contracts (e.g. insurance intermediaries, insurance agents, banks, co-insurers and reinsurers, insurance company lawyers and experts, technical and professional consultants, the Association of Serbian Insurers, leasing companies, car repair shops, legal entities providing roadside assistance, healthcare institutions, debt collection agencies, companies belonging to Generali Group and other companies providing IT services, telecommunications services, financial, administrative and archival services, correspondence management services, auditing and financial statement confirmation services, as well as companies specialised in service quality assessment).
Transferring your personal data
In general, we do not transfer your personal data outside the territory of the Republic of Serbia and the countries of the European Economic Area. In extremely rare cases, only for the purposes mentioned above and upon request, we may transfer your personal data to a third party or public authority outside the Republic of Serbia and the European Economic Area. In any case, the transfer of your personal data is carried out in accordance with applicable laws and international agreements whilst implementing appropriate protective measures (e.g. standard contractual clauses, binding corporate rules, approved codes of conduct, issued certificates, contractual provisions between controllers and processors with the approval of the Commissioner).
Your rights regarding the processing of personal data
Access
You can request access to your personal data if you want to know which categories of personal data the Company currently processes. Please specify that your request pertains to the customer or interested party data.
Correction or completion
You can request that the Company rectify or complete personal data which is inaccurate or incomplete.
Deletion
You can request that the Company delete personal data if one of the following conditions is met:
Restriction of processing
You can request that the processing of personal data be restricted based on one of the following grounds:
Data portability
You can request that the data processed by the Company based on a contract or your consent be provided to you in a structured, commonly used and machine-readable format so that you can transmit this data to another organisation, or that the Company transmit it if technically feasible.
If the processing of personal data is based on your consent, you can revoke it at any time, but this will not affect the lawfulness of processing based on consent before revocation.
If your personal data has been transferred outside the European Economic Area, you have the right to receive a copy of that data, specifying the country/countries to which your personal data has been made available.
You can exercise your rights regarding the processing of personal data by submitting an appropriate request by email or post. Submitting a request is free of charge unless the request turns out to be unfounded or excessive.
Email address: dpo@generali.rs
Postal address: Generali Osiguranje Srbija a.d.o., Vladimira Popovića br. 8, 11070 Novi Beograd
Your right to object to the processing of personal data
An objection to the processing of personal data will be automatically accepted only when the processing of your data is based on consent.
In other cases, an assessment will be made to determine whether the objection will be accepted or not, and you will receive a reply in writing.
Your right to file a complaint with the competent authority
If you believe that the processing of your personal data violates the Personal Data Protection Act, you have the right to file a complaint with the Commissioner for Information of Public Importance and Personal Data Protection* at the address provided at
How long we keep your personal data
How long we keep your personal data depends on the legal basis and purpose of their processing under applicable privacy laws.
If the processing of data is based on a contract, we must retain your personal data throughout the entire duration of the contractual relationship and for 10 years after the expiration of the insurance contract. Should an adverse event or an insured case occur, we keep your data for 10 years from the moment the damages or the contract amount have been determined.
Data collected based on consent is kept for 5 years or until consent is revoked, whichever happens first. Data collected based on legitimate interest is kept until the purpose for which it was collected is fulfilled.
Amending and updating the Privacy Notice
Considering that the applicable privacy laws may be amended, the Company may update, in whole or in part, this Privacy Notice. All changes or updates will be published on the Company’s website, at
Glossary
Processing – any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Personal data – any information relating to an identified or identifiable natural person, directly or indirectly, especially the information based on identity markers such as name, identification number, location data, identifiers in electronic communication networks or one or more characteristics related to the individual’s physical, physiological, genetic, mental, economic, cultural and social identity.
Special categories of data – include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation of an individual.
Data concerning health – personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data subject – any natural person whose personal data are being processed.
Data controller – a legal or natural person or a public authority who, alone or when joined with others, determines the purposes of any personal data and the means of processing them. The law governing the purpose and manner of processing may also define or prescribe conditions for appointing the data controller.
Joint data controller – a natural or legal person, public authority, agency or other body that, together with other data controllers, determines the purposes and means of processing the same personal data.
Data processor – a natural or legal person, or a public authority, which processes personal data on behalf of the controller.
Consent of the data subject – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Protection Officer – a person responsible for providing support activities related to the functions and control activities of the Company concerning the processing of personal data. Additionally, the Data Protection Officer collaborates with the Supervisory Authority and serves as the point of contact for data subjects regarding any questions related to the processing of personal data.
Commissioner for Information of Public Importance and Personal Data Protection – an independent and autonomous authority established by law that oversees the implementation of the Personal Data Protection Act and performs other duties prescribed by law.