Privacy Policy | CIG Pannónia Life Insurance

In the event that you are a client

or you make an offer to conclude and insurance contract

The Insurer and the reinsurer may manage personal data during the period of insurance or assignment, respectively, as well as during the period in which a claim may be made in connection with the insurance, reinsurance or assignment. The purpose of data management may only be the conclusion, modification or retention in the portfolio of the insurance policy, the judgment of claims arising from the insurance policy, or any other purpose specified in this act. The Insurer or reinsurer may perform data management for purposes other than these purposes only with your prior consent. Refusal to give such consent must not be a disadvantage to you and giving such consent must not be to their advantage, respectively. The detailed rules of processing personal data are regulated by Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - hereinafter referred to as GDPR) as well as the Hungarian legal regulations in effect and the Insurer established its data protection policies under the framework of these.

The legal basis of data processing by the Insurer shall primarily be the interest of performing the insurance contract (Section b.), Article 6. of the GDPR) and secondarily performing the legal obligation of the Insurer (Section c.), Article 6. of the GDPR). Data processing may take place on the basis of enforcing the legitimate interest of the Insurer or a third person (Section f.), Article 6. of the GDPR)

The management and processing of data falling into special categories of personal data (date related to health condition) shall take place on the basis of your consent. In lack of such consent the Insurer shall be unable to perform the contract therefore in addition to the provision of data protection information you shall declare about this consent.

Accordingly the Insurer shall process data related to health condition and transfer such data to the data processor.

The person, identification data and the scope of data transferred to them as well as the operations performed by them shall be made available by the Insurer on its website.

The persons who process the health status data on the basis of legal regulation or contractual authorization, in particular the attending physicians (including family doctors and specialists), specialists, health care service provider or institution, public health care organizations or ambulance services etc. may be exempted form the obligation of confidentiality by a separate written consent. You shall consent to such exemption or to the processing and the of such data to the data processor in the prescribed manner.

In the event that the contract is concluded for a minor insured person and/or beneficiary, such exemption and consent to data processing shall be extended to the them as legitimate representative.

The consent may be withdrawn at any time without explanation. The consequences of such withdrawal and the data protection provisions of the Insurer shall be included in the terms and conditions of the insurance.

In addition to the data specified in the register of shareholders, CIG Pannónia Life Insurance Plc. processes all the personal data provided by shareholders to the keeper of their securities account within the framework of the shareholder verification portfolio, which is necessary to effect payment of the capital injection and to issue the related tax certificate. The consent of the shareholders is not required for the data processing, considering that the legal ground of the processing is provided in Article 6 (1) c) of the GDPR, and that the processing is the legal obligation of the data processor pursuant the provisions of Act CL of 2017 on the Rules of Taxation and Government Decree 465/2017 (28 December).

CIG Pannónia Life Insurance Plc. processes the following personal data in addition to the data included in the register of shareholders provided within the framework of the shareholder verification portfolio:

• account type

• subaccount ID (the subaccount ID of Keler Ltd. securities)

• shareholder ID (unique identifier issued by the fund manager)

• shareholder ID of the register of shareholders

• shareholder’s sex, birth name, place and date of birth, mother’s name

• personal ID

• postal address

• tax ID or tax number

• registration number

• bank account number

• Keler Ltd. internal ID

• an indication that the securities account is a long-term investment account.

The following companies contributing to the payment of the capital injection shall be considered data processors for the data concerned:

TMC First Tanácsadó Korlátolt Felelősségű Társaság,

registered office 1025 Budapest, Csalán út 27,

tax number 22917258-2-41,

company registration number 01-09-944624

RITZL és TÁRSA Számviteli és Adótanácsadó Kft.

registered office: 2085 Pilisvörösvár, Görgey u. 111/a

tax number: 13156204213

company registration number: 13-09-101972

CIG Pannónia Life Insurance Plc., taking into consideration the principles governing the processing of personal data, with particular regard to the purpose limitation principle and the principle of limited storage, processes the data provided by the keeper of the securities account within the framework of the shareholder verification portfolio for 7 years, strictly for the payment of the capital injection and to issue the tax certificate.

In the event that you are an interested person

You shall be qualified as an interested person if

- you subscribe to the newsletter - you apply for a job advertisement, - you meet the representative of the Insurer at an event and provide your personal details,

In this case your personal data shall be processed on the basis of your consent based on detailed information. You may withdraw your consent to data processing at any time without explanation. The withdrawal of your consent shall not affect the lawfulness of previous data processing by the Insurer.

Data processing based on voluntary consent shall be terminated if the purpose of data processing is terminated.

The Insurer shall perform profiling, automated decision-making or transfer with the personal data exclusively on the basis of voluntary consent.

Personal data of job applicants shall be retained by the Insurer for 12 months following the interview or data collection the latest. In the event that you request further data processing, you shall file an express written application for that.

Other Important Information

Center of Operations: H-1097 Budapest, Könyves Kálmán krt. 11. building "B" even if the insurer processes personal data in its cross-border activities.

Supervisory Authority: Magyar Nemzeti Bank (National Bank of Hungary) (address: 1013 Budapest, Krisztina krt. 39.; phone number: + 36 80 203 776, fax: + 36 1 489 9102; Email: ugyfelszolgalat@mnb.hu; mail address: 1534 Budapest BKKP Postafiók: 777.; https://www.mnb.hu

Supervisory Authority (in relation with data protection): Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) (address: 1125 Budapest, Szilágyi Erzsébet fasor 22c, mail address: 1530 Budapest, Pf..5; c; Contacts: phone number: +36 1 391 1400, fax: +36 (1) 391-1410; E-mail: ugyfelszolgalat@naih.hu; URL http://naih.hu)

Jurisdiction of Cross-Border Activity: A different supervisory authority from the authority competent in the center of operations shall be entitled to act in handling complaints lodged to it and to act in case of potential breach of the provisions of the GDPR if the subject matter of the case involves exclusively one venue of operation located in the member state or if it affects significant number of data subjects exclusively in the member state.

Contact of Data Protection Officer:

dr. Dávid Kozma, Lead Legal Counsel, Data Protection Officer H-1097 Budapest, Könyves Kálmán krt. 11. building "B" jog@cig.eu

LIST OF DATA PROCESSING COMPANIES

To view the list of companies that are processing data for CIG Pannónia Life Insurance Plc, Please click here.

DATA PROTECTION POLICY

The present policy aims to provide compliance of CIG Pannónia Life Insurance Plc. with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - hereinafter referred to as GDPR) and to set forth the system of responsibilities of managing and processing personal data as well as exercising the rights of the data subjects and all the above.

1.) Scope of Policy

The provisions of the present policy shall be applicable to the personal data processing of CIG Pannónia Life Insurance Plc. (hereinafter referred to as Insurer), the regulation of the relevant processes and to ensure the rights of data subjects. The provisions of the policy shall be applicable to all persons who perform data processing for the Insurer or joint data processing activities. In case of personal data processing by certain data controllers or data processors, stricter provisions shall be applicable under law than those of the GDPR therefore those shall be applied in relation with such personal data.

2.) Term of Policy

The provisions of the present policy shall enter into force on the day of signature, nevertheless the provisions thereof shall be applicable from 25^th May 2018.

3.) Basis of Policy

The action plan ordered on 20^th December 2017 on the basis of the DPIA and GAP analysis prepared by Field Consulting Zrt. taking Article 35. of the GDPR into account shall constitute the basis of the policy.

4.) Basic Concepts

The basic concepts of the present policy shall be equivalent with the basic concepts listed in Article 4. of the GDPR with the following amendments and supplementary provisions:

Profiling: the insurer shall perform data processing including profiling on the basis of the consent of the data subject and exclusively if it takes place for business purposes.

Recording system: any electronic and paper-based records containing, managing or processing personal data under the effect of the GDPR.

Center of Operations: 1033 Budapest, Flórián tér 1. even if the insurer processes personal data in its cross-border activities.

5.) Principles Relating to Processing of Personal Data

The Insurer shall act according to the provisions set forth in Article 5. of the GDPR in terms of data processing performed by the Insurer. These provisions shall be completed with the and implemented as follows:

- Lawfulness, fair proceedings and transparency

The Insurer shall completely observe the provisions of the GDPR, the Hungarian legislation and the present policy in the course of its data management and processing. Each employee of the Insurer shall be responsible for establishing processes and proceedings and preparing forms, data processing consents and declarations which completely comply with these basic principles and provisions.

The Insurer shall process personal data in order to perform insurance contracts and fulfil the legal obligations of the Insurer. In lack of these personal data may be processed exclusively with the information-based consent of the data subject.

In case of consent-based data processing the Insurer shall obtain the consent of the data subject in a verified way: in writing or on a recorded phone conversation. In case of consent-based data processing the voluntary consent of the data subject may be withdrawn at any time without explanation of which the data subject shall be informed concurrently with the collection of data.

The consent-based processing of children’s personal data shall require the consent of the legitimate representative of the data subject exercising parental responsibilities.

In the event that after the consent-based personal data processing the Insurer concludes a contract with the data subject, the provisions of the contract on personal data processing shall be governing on the processing of personal data from the quote or the conclusion of the agreement or the identification of the parties under the provision of the anti money laundering act.

The data subject shall be informed in case of each data processing method on what personal data the Insurer processes, and what personal data it transfers to whom for what data processing purposes. The information shall be primarily stipulated in the contractual terms and conditions and made available for the data subjects on the internet websites of the Insurer. It shall also be ensured that upon request the data subject shall receive the information under the GDPR about the processing of their personal data and their rights.

The Insurer may process special categories of personal data if the data subject gives express consent to do so or it is necessary in order to fulfil a requirement arising from the legal provisions regulating the employment of the data subject. Such personal data processing shall take place in case of contracts in particular in which the judgement of the risk or the payment of damages, i.e. the conclusion of the insurance contract and the performance of the service on the basis thereof depends on the health condition or the changes thereof.

The Insurer shall not process personal data related to establishing criminal responsibility. This prohibition shall not involve authority decisions resulting in a demand for service of the Insurer.

- Constraint of Purpose

The Insurer shall only process personal data for reasons required for its operation or to perform its contracts and services. In the course of this it shall not purchase, sell, transfer and make available for any third person any databases containing personal data.

- Data Minimization

The Insurer shall process exclusively as much personal data as indispensably required for its legal operation and performance of its contracts.

- Accuracy

The Insurer shall take all reasonable and necessary measures for the accuracy and update of the personal data. Personal data shall be updated in accordance with the legal regulations in particular in the frequency set forth in the Money Laundering Act furthermore the changes shall be periodically updated in the system on the basis of reports of the data subjects.

- Restricted Storage

The Insurer shall terminate the processing of personal data under the effect of the GDPR without delay in which the constraint of purpose cannot be established any longer and the law allows for the termination of the processing of such data.

- Integrity and Confidentiality

The Insurer shall take level of advanced technical and organizational protective measures expected form financial organizations providing the required security of personal data management and processing. In order to do so it shall set up a system of requirements to each data processor or joint data controller who process the personal data of the Insurer falling under the effect of the GDPR or take part in any stage of data processing.

- Accountability

The Insurer shall develop its organizational order and data processing system so that the management and processing of personal data can be tracked and is it possible to monitor in the course of individual data processing operations who performed what data operation.

6.) Rights of Data Subjects and Ensuring thereof

a.) Transparent Measures

The Insures shall take organizational and technical measures in order to provide data subjects the information on the processing of their personal data on the basis of the factors specified in the GDPR in writing or verbally within the specified deadline (30 days).

Data subjects shall be informed in writing prior to the conclusion of the contractual relationship and the processing of personal data:

- in case of insurance contract upon filling the offer; - in other cases upon providing the personal data or learning such data.

Such written information shall be provided free of charge. The information shall be qualified as written in the event of sending in electronic mail on the electronic interface developed for the data subject

The information may only be denied in the cases specified by legal regulations.

The data owners shall take care that the internal provisions regulating the contact with data subjects, the offer forms and the contractual terms and conditions shall include the information too. The Data Protection Officer shall take care of the easy accessibility of such information for the data subjects on the website of the Insurer.

The condition of verbal information of the rights of the data subjects is to identify the data subject and that the conditions of entitlement for information exist. Primarily the data owner of the data of the data subject and secondarily the person assigned to ensure data protection (Data Protection Officer) shall be responsible for information upon request of the data subject.

b.) Information to be Provided if the Personal Data is Collected from the Data Subject

The data protection information provided to the data subject shall necessarily include the following basic information:

- person and contacts of the Insurer as data controller; - person and contacts of the Data Protection Officer; - purpose of processing personal data and the legal basis thereof (data processing based on consent, performance of contract or performance of legal obligation of the Insurer); - categories of personal data involved.

In order to ensure fair and transparent data processing the data subject shall be provided with the following supplementary information at the time of obtaining the personal data:

- term of storing the personal data or if it is not possible the aspects of determining this period of time; - if the legitimate interest of the Insurer or a third party can be established, then about this fact; - in the event that the legal basis of the data processing is the consent of the data subject, then about the right to access, rectify, erase, restrict processing, object to data processing and data portability as well as the consequences of withdrawing consent to data processing; - about the right to lodge complaint to the supervisory authority;

c.) Right of Access of the Data Subject

The Insurer shall provide continuous access to the personal data of the data subjects and the information involved in data processing as follows.

- General information concerning data processing on the website; - in relation with the personal data concerning the performance of the contract in the contractual terms and conditions or in the data protection notice issued with it; - in relation with specific data subjects about the operations related to their individual personal data on the basis of written or verbal enquiry.

d.) Right of Rectification

Data subjects may request the rectification of their data or the completion of their incomplete data. In order to perform the request of data subjects the Insurer my request documents from the data subjects based on the data of which the rectification or completion shall be performed without delay but within 3 working days the latest.

e.) Right of Erasure (“Right to be Forgotten”)

The Insurer shall erase the personal data of the data subject for the reasons set forth in the General Data Protection Regulation without delay but within 3 working days the latest.

The data subjects shall not have the right of erasure in the event that the retention of their personal data is required for the performance of the obligations of the Insurer arising from the contracts thereof or any legal regulations or any other legitimate interest give grounds for the retention thereof.

The data owner shall request the opinion of the Data Protection Officer in order to legally reject erasure.

f.) Right to Restrict Data Processing

The data processing may be restricted on the basis of the request of the data subject. The opinion of the Data Protection Officer shall be requested in the subject matter of such request of the data subject. In the event that under such opinion the restriction of data processing is acceptable then the data owner shall indicate the personal data of the data subject on every data carrier and records. Such indication may take place by indicating the identification number of the data subject in the records or in case of paper-based records by putting a mark on the firs page of the documents.

g.) Obligation of Notification Related to the Rectification or Erasure of Personal Data or the Restriction of Data Processing

The data owner shall inform data subjects about the rectification, erasure or restriction of data in writing.

h.) Right of Data Portability

The data subjects have the right to request the transfer of their personal data in a widely used machine readable format. Data subjects shall be entitled to exercise this right differing from the GDPR even if their data was not processed by the Insurer on the basis of the consent of the data subjects provided if such data processing is automated.

i.) Right to Objection and Automated Decision-Making in Individual Cases

The data subjects may object to the processing of their personal data for reasons related to their situation if the legal basis of the data processing is exclusively required for the enforcement of the legitimate interests of the Insurer or a third party except if the interests or fundamental rights and freedom of the data subjects making the protection of personal data necessary, prevail such interest in particular if the data subjects are children.

The personal data of the data subject shall be indicated in the event that such data is intended to use for direct business purposes or transfer to the corporate group or a partnering company for the same purposes.

The consent of the data subject for transfer of data shall be obtained by each contractual partner and it shall be indicated in the system serving for the registration of personal data. The person recording the data shall be responsible for such indication.

In case of processing personal data for direct business purposes the attention of the data subjects shall be definitely called during the first contact and the relevant information shall be presented clearly and separately from any other information.

If the data subject object to the processing of personal data for direct business purposes then such personal data shall not be processed for such purpose any longer. They may object to such data processing at any time without explanation. The reporting of objection shall be bound to reporting in an demonstrable way by the Insurer. The form of this may be recorded telephone conversation or personal reporting, letter, fax or via the customer site.

The Insurer shall use automated decision-making in individual cases including profiling if the data subject gave express consent to it. The consent shall be obtained from the data subject prior to the application of the measure and it shall be indicated in the system. In such cases the data subject has the right to request human intervention from the Insurer, express their viewpoint and file an objection against the decision. Automated decision-making including profiling shall not constitute the basis for the special categories by the Insurer.

7.) Data Management and Data Processing by the Insurer

The Insurer shall take appropriate technical and organizational measures on the basis of its DPIA data and continuous risk assessment as well as the provisions of the present policy in order to ensure and demonstrate that the personal data processing takes place in compliance with this regulation. Such measures shall be revised by the data controller and updated if necessary.

The Insurer shall take appropriate technical and organizational measures to ensure that the data protection built in and default under the GDPR shall be implemented adequately in the course of processing personal data.

8.) Joint Data Processing

The Insurer may perform joint data processing id the purposes and means of data processing is specified jointly with another data controller. Such data processing shall be put in writing with the other data controller and contact persons shall be assigned therein for the data subjects.

9.) Data Processing

The Insurer may apply a data processor for data processing under the following terms and conditions:

- the data processor shall provide warranties for the compliance of data processing with the provisions of the present regulation and for the implementation of appropriate technical and organizational measures ensuring the protection of the rights of data subjects; - it shall not use any other data processor without the prior written specific or general authorization of the Insurer. In case of general written authorization the data processor shall inform the Insurer about any planned changes involving the use or replacement of additional data processors thus providing the possibility for the data processor to object to such changes; - the data processor shall undertake the fulfilment of the conditions set forth in Paragraphs (3-5), Article 28. of the Regulation in a written agreement, - furthermore the reporting of data protection incidents to the Insurer without delay.

In the event that the Insurer assigns other persons to process personal data also constituting insurance secrets, then the provisions of the Insurance Companies Act shall also be stipulated in the contract for data processing or other activity including data processing.

Data processing activity shall be used exclusively if the data processor undertakes the above terms and conditions and the Insurer becomes ascertained that the data processor is able to observe the warranty provisions set forth in the contract and the rights of the data subjects are not infringed.

10.) Recording Fata Processing Activities

The individual organizational units of the Insurer shall maintain records of the personal data recorded and thus processed by them under Article 30. of the Regulation The records - data inventory - shall be prepared indicating the scope of individual pieces of personal data and the data processing operations including the major details of the data processors and the data processing operations performed by them. The list of persons assigned to process personal data, the up to date list of personal data processed and the list of operations performed therewith shall be disclosed by the Insurer on its website.

The records shall be maintained by the data owners. The responsibilities of the data owners shall be set forth in their job descriptions and the present policy. Upon the termination of their employment or change of positions the data owners shall hand over their records of personal data to the persons taking over their responsibilities. The handover shall be recorded on the termination or position handover data sheet. In lack of handover the legal relationship of the data owner shall not be legally terminated.

The data owner shall take care that the internal provisions (work instructions) regulating the operation of the organizational unit processing the data shall assign deadlines and a person in charge of erasure furthermore that organizational measures shall be taken to protect personal data and to specifically ensure the rights of the data subjects.

The provisions on the technical security of data processing, the data stored in the central log manager - including the derivative technical personal data arising from the information technology systems - and the storage times thereof shall be specified in the information technology policy of the Insurer.

11.) Data Protection Incident

The person detecting a data protection incident, including the data processor shall report it immediately to the data owner in charge of processing the given piece of personal data. The data owner shall prepare a report of the incident containing the detailed data set forth in Paragraph (3), Article 33. of the Regulation and forward it to the Data Protection Officer.

The Data Protection Officer shall perform risk assessment on the basis of the incident report. In the event that the data protection incident probably poses risk to the rights and freedoms of natural persons then the Data Protection Officer shall report it to the competent authority within 72 hours of the incident the latest and then shall take records of the effects thereof and the measures put in place to eliminate such effects.

If the reporting does not take place within 72 hours the reasons verifying the delay shall be annexed therein.

The Data Protection Officer shall take records of all data protection incidents.

12.) Informing the Data Subject of the Data Protection Incident

If the data protection incident probably poses high risk to the rights and freedoms of natural persons then the data controller shall inform the data subject without unwarranted delay about the data protection incident with the content set forth by the Regulation.

Informing the data subject is not mandatory if any of the following conditions is fulfilled:

a) the data controller performed appropriate technical and organizational protective measures and these measures were applied in terms of the data involved in the data protection incident, in particular the measures – such as applying encryption – making data uninterpretable for persons not authorized to access the personal data;

b) the data controller took additional measures after the data protection incident to ensure that the high risk on the rights and freedoms of the data subject established by weighing shall no longer take place in the future;

c) the information would require disproportionate effort. In such cases the data subjects shall be informed via public announcements or similar measures shall be taken to ensure the similarly effective information of the data subjects.

13.) Data Protection Officer

The Insurer shall appoint the Data Protection Officer on the basis of professional suitability and in particular the expert level knowledge of data protection law and practice as well as the suitability for fulfilling the responsibilities.

The Data Protection Officer shall fulfil the responsibilities detailed in Article 39. of the GDPR, (s)he shall in particular inform, advise, and monitor the enforcement of provisions related to data protections, monitor the impact study, cooperate with the data protection authority and also serve as a contact person in data protection issues.

The Data Protection Officer shall fulfil her/his responsibilities appropriately taking the risk related to the data processing operations into account and considering the nature, scope, circumstances and purpose of the data processing.

The name and contact details of the Data Protection Officer shall be published by the Insurer in the present policy as well as on its website and disclose them to the supervisory authority.

The Data Protection Officer shall be provided with the information and authorizations required to perform her/his responsibilities.

The Data Protection Officer shall not accept instructions related to the performance of her/his responsibilities. The Insurer shall not dismiss the Data Protection Officer in relation with the performance of her/his responsibilities and shall not charge her/him with sanctions; (s)he shall be directly liable to the top management of the Insurer in relation with this activity.

The data subjects may address the Data Protection Officer in any issue related to the processing of their personal data and exercising their rights.

The Data Protection Officer shall be bound by an obligation of secrecy in relation with the fulfilment of her/his responsibilities or obligation of the confidential management of data.

The Insurer shall provide in its rule of organization and operation to ensure the rights of the Data Protection Officer provided in the present policy and the incompatibility thereof.

14.) Transfer of Personal Data

Personal data may be transferred to a third country or to any international organization on the basis of an adequacy decision or by providing appropriate warranties and remedies or in the cases of differences ensured under special circumstances in the Regulation.

The opinion of the Data Protection Officer shall be asked in each case prior to establishing the order of data transfer.

15.) Remedies

Data subjects have the right to lodge a complaint to the supervisory authority – in the member state of their normal residence, workplace or the place of the assumed breach particular – if the data subjects assume that the processing of their personal data breaches the provisions of the Regulation.

Customers

Useful

For Investors

About us