Our personal data policy
This policy sets out Velliv's overall strategic goals and principles for data protection and processing. It also establishes roles and responsibilities.
The policy is to ensure that Velliv complies with any Danish and European regulation, delegated legislation, internal rules and 'best practice' in force from time to time in the data protection area, including that Velliv complies with the spirit of the law.
The policy covers processing of all personal data, including, but not limited to, information about customers and employees.
Any senior executive of Velliv is – whenever relevant – responsible for ensuring that the policy is known and followed within the relevant senior executive's area of responsibility.
Risks involved in data protection and processing
The processing of personal data, including sensitive personal data, is a core activity of Velliv and therefore a significant operational risk in the company's business model. Velliv processes personal data for the purpose of establishing and administering contracts with customers and to meet the company's obligations towards customers, co-insureds and beneficiaries. Personal data are also used for marketing purposes to the extent that the customers have given their consent to the use of data for marketing purposes. Moreover, as part of its activities, Velliv may in certain cases transfer personal data to other parties, including business partners, suppliers, etc. Finally, Velliv processes personal data in connection with the establishment and administration of the terms and conditions of employment of employees. Velliv is controller for the personal data processed by the company.
The processing of personal data involves a risk that customers' and employees' personal data become subject to accidental or unlawful destruction, loss and alteration of and unauthorised disclosure or access to personal data, including publication.
The processing and protection of personal data are regulated by the General Data Protection Regulation of the European Parliament and of the Council and by special national legislation in the area. Furthermore, Velliv is subject to special legislation for financial businesses.
Non-compliance with the personal data legislation may result in prosecution or injunction from the supervisory authorities and significant financial losses in the form of fines.
Breach of confidentiality may have serious consequences for customers and employees due to the risk of data abuse, and breach of integrity and confidentiality is therefore considered a significant reputational risk for Velliv.
Strategic goals for data protection and processing
Velliv wants to be a trusted partner at all times. Simplification and digitisation are also strategic themes at Velliv.
The processing of personal data and the security level must reflect that Velliv processes large volumes of personal data, including large volumes of sensitive personal data. For this purpose, Velliv wants to establish and maintain a high level of protection of personal data. Furthermore, Velliv wants to comply with the current data protection legislation at all times.
In order to minimise Velliv's risks as mentioned in 2.1, processes and systems must be designed in accordance with the following data protection principles.
Personal data must:
- be processed lawfully, fairly and in a transparent manner
- be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
- be adequate, relevant and limited to what is necessary in relation to the purposes for which they processed (data minimisation)
- be accurate and kept up to date (accuracy)
- be stored for a limited period in accordance with the purpose (storage limitation)
- be processed in a manner that ensures appropriate security of the personal data (integrity and confidentiality)
- be treated subject to the rights of the data subject
- only be transferred to processors or third parties, including third parties in third countries, if appropriate security of the personal data is ensured.
Method and process description
Velliv must establish processes and procedures to ensure that the data protection principles of this policy are observed. This means that Velliv must ensure that processing activities are not initiated until an analysis has been made of the consequences for the protection of personal data. New products and systems must comply with the principles of privacy by design and privacy by default.
Velliv must be able to demonstrate that the data protection principles of this policy are observed and must keep and maintain a list of processing activities which meet the requirement of law for such a list.
Velliv must appoint a data protection officer and prepare a job specification for the data protection officer.
Lawful, fair and transparent processing
The processing of personal data by Velliv requires that the processing activity is authorised by the General Data Protection Regulation, other EU regulation or national law. Velliv must ensure that the adequate legal basis exists before processing starts. Legal basis means that:
- the data subject has given valid consent for the processing
- processing is necessary for the performance or conclusion of a contract to which the data is a party
- processing is necessary in order to comply with a legal obligation that Velliv has
- processing is necessary in order for Velliv to pursue a legitimate interest unless the interests of the data subject override those of Velliv
- processing is necessary to protect the vital interests of the data subject or any other natural person
- processing is necessary for the performance of a task carried out in the public interest which Velliv has been required to perform
Civil registration numbers are processed in accordance with the special national legislation to that effect. Accordingly, sensitive personal data are processed in accordance with the special requirements to that effect.
The processing of personal data in Velliv must be transparent and open to ensure that it is clear to the data subject, at the time of the collection and throughout the relationship between Velliv and the data subject, that personal data are collected, used and stored and otherwise processed and to what extent and for what purposes the personal data are processed. The information must be provided in clear and simple language. The information must be provided through a communication medium suited for the specific situation in which the personal data are collected, processed, etc.
At the time of collection, Velliv must provide the data subject with information about:
- The purpose of the processing for which the personal data are intended, including the period for which the data will be stored
- Categories of recipients of personal data concerning the data subject
- The rights of the data subjects
- Contact details of the company and the company's data protection officer, including complaint bodies.
If Velliv collects personal data about the data subject from any parties other than the data subject, information must be provided as soon as possible thereafter.
Collection and processing according to purpose
Velliv collects personal data for a number of purposes and collects personal data from the data subject and from other parties. Regardless of how and from whom personal data are collected, such data may be processed only for the specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes.
When personal data are collected and otherwise processed, it must be ensured that the only data collected and processed are those necessary for the specified, explicit and legitimate purposes for which the data are processed. Velliv must have processes in place to ensure that personal data which the company receives from other parties and which are not necessary for those purposes are destroyed or erased.
Accuracy of data
Velliv must have processes in place to ensure that personal data are correct and up-to-date.
Velliv may not store personal data any longer then necessary for the purposes for which the data are processed. This means that Velliv must take measures to ensure that personal data are erased when they are no longer necessary for the purpose.
Velliv must have principles in place for erasure. Such principles must be laid down with due consideration being given to the company’s long-term contractual/customer relations (the insurance contract). Moreover, the principles must take account of the Danish Limitation Action to ensure that Velliv can settle claims even after the termination of the customer relationship. The principles must also take into consideration that for certain personal data, requirements may be specified in other legislation that requires a longer or shorter storage period, e.g. the Money Laundering Act, tax legislation, etc.
Integrity and confidentiality
Velliv must ensure that access to personal data is only on a 'need to know' basis.
Velliv must implement technical and organisational measures to prevent accidental or unlawful destruction, loss and alteration of and unauthorised disclosure or access to personal data, including publication. The relevant measures include, but are not limited to, access control, user access administration, logging, encryption, pseudonymisation and erasure. Secure processing also includes control of access to physical locations. Velliv must provide ongoing training of the company's employees to ensure that the employees know the company's information security rules.
Moreover, Velliv must have processes in place to address any breach of data security by having processes for handling and reporting data breaches to the Danish Data Protection Agency and/or the data subjects, including to ensure that reporting takes place within the statutory time limit.
Respect for the rights of data subjects
Velliv must process personal data in a manner that respects and meets the rights of the data subject. This means that the company must inform data subjects of their rights and have processes in place to meet such rights in a timely manner and in accordance with the statutory time limits. The rights of data subjects include, but are not limited to:
- The right of data subjects to access their personal data being processed
- The rights of data subjects to have their own personal data erased in certain cases
- The rights of data subjects to have their own personal data rectified
- The rights of data subjects to have the processing of their own personal data limited in certain cases
- The rights of data subjects to receive personal data about themselves in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Transfer to controller or third parties
As part of its activities, Velliv may in certain cases transfer personal data to other parties, including business partners, suppliers, etc. The transfer and disclosure of personal data are subject to current legislation, including financial legislation, or subject to the consent of the data subject.
Velliv may only use processors that can provide sufficient guarantees to implement the suitable technical and organisational measures which ensure protection of the rights of data subjects. Any transfer to a third party processing personal data on behalf of Velliv is subject to a processor agreement that meets the requirement of legislation for a valid processor agreement, including the requirements for use by sub-processors. The processor agreement must also regulate the processor's use of sub-processors established in third countries.
Velliv may be required to transfer data to other parties Such obligations may follow from law, including tax legislation, money laundering legislation, etc. Velliv may also transfer data to other parties when required for the company's pursuit of a legal claim, legal advice or at the request of a supervisory authority. In such cases, Velliv must ensure that the data are sufficiently protected, either according to law or contract.
Monitoring and controls
Processes and controls under this policy must be documented, transparent, risk-based and must be reevaluated on an ongoing basis and at least once a year.
The Board of Management must receive ongoing and at least quarterly reports on the company's risks in relation to the protection of personal data, including the number of reported incidents, reporting of key figures in relation to personal data, including the exercise of right of access and any other rights of data subjects. Material breaches of data security must be reported to the Board of Management without undue delay.
The Board of Directors must receive ongoing and at least annual reports on the compliance with this policy.
Roles and responsibilities
The Board of Management is responsible for implementing this policy by establishing adequate business processes.
The Board of Management appoints a data protection officer reporting to the company's CFO who is responsible for monitoring and advising the company on compliance with the methods and processes decided on the basis of this policy.
The Board of Directors wants clear managerial support for processes aiming to protect personal data. Therefore, the Board of Management is charged with establishing a standing personal data committee consisting of representatives from relevant business areas, including the compliance manager, IT and the data protection officer.
The personal data committee must receive ongoing and at least quarterly reporting from the data protection officer. The personal data committee will help ensure that methods and processes are implemented in the business areas.
The company's compliance function is responsible for checking and assessing whether the procedures and measures implemented to protect personal data and comply with the General Personal Data Regulation are adequate. The compliance manager makes ongoing and at least annual reports to the Board of Management.
The Board of Management may delegate the responsibility for establishing business processes to the individual managers of the company's business areas.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (EEA-relevant text)
L 69 Bill to amend the act on the processing of personal data by law enforcement agencies, the act on the information databases of mass media and various other acts. (Consequential amendments resulting from the Danish Data Protection Act and the General Data Protection Regulation as well as the use of the Media Liability Act on publicly available information databases etc.)
Consolidated Financial Business Act of 2017-01-31 No. 174 and executive orders issued in pursuance of this Act, including the Executive Order on outsourcing of significant areas of activity of 11 January 2010.
References to other policies and guidelines
Together with Velliv's IT security policy, the Data Protection Policy constitutes the internal rules for data protection as approved by Velliv's Board of Directors.
The policy is supplemented by guidelines for information security and business processes in the area