1 Purpose of the document
INVL Life is committed to processing your personal data in accordance with the relevant legislation, including the General Data Protection Regulation (2016/679), and other applicable regulation.
Protecting your data and your privacy and processing your data in a secure manner are very important to INVL Life, so whether you are a new or a long-time customer of ours, we recommend that you familiarize yourself with our practices. And in case you have any questions, do not hesitate to contact us!
3 Whose Data Do We Process and Where Do We Collect Data From?
Personal data is mainly collected from the persons themselves before and during the customer relationship, employment or other contractual relationship. We also receive data from employers with regard to the employer’s group insurance plans. We receive data from high risk persons registers of insurance companies in Estonia. We also receive data from other reliable parties and public registers maintained by authorities. For example states population register, Commercial register and International sanctions list.
4 How and Why We Process Personal Data?
4.1 The Customers of INVL Life
We process personal data for example to manage customer relationships, to comply with the requirements of law, to protect our legitimate interests, as well for direct marketing and for develop our services. We process personal data only to the extent necessary or as required by law. The categories of data we process and the details of the processing depend on what group of persons or customers you belong to. We categorize customers into different groups, for example based on what kinds of products they have selected or based on their investment capital. This helps us to offer each customer group products and services that are most interesting and best suited for them. When we offer investment solutions related to our services, we assess the customer’s investing and saving needs and willingness and capability to take risk in accordance with our statutory obligations.
When we process insurance claims, we do not use personal data for making automated decisions. In Estonia, we store customer service calls to ensure the quality of customer service and to confirm assignments or deals. Personal data is also processed to carry out customer satisfaction surveys. We process personal data for statistical purposes in order to fulfil our statutory obligations and in order to report on our services. Individual persons or companies are not identifiable from the statistics or reports.
4.2 Employees, job applicants, representatives and others working for INVL Life
We process personal data with regard to the employment or other contractual relationship and for example to fulfil our statutory employer obligations for example to pay out salaries, sales bonuses, commissions fees and to do fit and proper assessment.
As regards job applicants, we process personal data provided to us by the applicant during the recruiting process in order to fill open positions.
4.3 More specific information
You can find more detailed descriptions of the categories of data, the purposes and legal grounds for the processing in our register descriptions below, by choosing the right register and to which group you belong to.
5 How Long Is Personal Data Retained?
We retain personal data for as long as is necessary for the purposes for which the data is collected or as long as required by law. The periods for bringing proceedings under the Estonian Law of Obligation or Lithuanian civil code or Latvian Civil law, as well as storage times resulting from legislation related to the prevention of money laundering and accounting regulations among other things, impact the storage times of the customer data of private customers. The maximum possible storage time is applied to data to which different storage times apply. You can find a more detailed description of the storage times for personal data in our register-specific register descriptions.
6 Is Personal Data Disclosed or Transferred to Others?
Personal data can be disclosed to parties outside INVL Life as allowed or required by law. Data may be disclosed e.g. to authorities (such as the Estonian or Latvian or Lithuanian tax authorities, the Estonian insurance companies’ high risk persons registers), as well as, or based on the law regulating insurance activities or data subject’s consent. Personal data may be disclosed, to the extent permitted under the law, to other companies belonging to the same group for the purpose of managing customer service and other customer relationship matters, as well as the conglomerate’s risk management. The processing of personal data within the group is restricted to the necessary circle of persons, and the disclosure of sensitive data is prohibited.
If we decide to sell, buy, merge or otherwise reorganize our businesses, this may involve us disclosing and/or transferring personal data to prospective or actual buyers and their advisers, or receiving personal data from sellers and their advisers.
You can read more about the disclosure of personal data in our register specific register descriptions.
Personal data is mainly stored and processed within the EU and the EEA. If data is transferred outside the EU and the EEA to countries for which the European Commission has not issued a decision of adequacy of data protection, we will take care of protecting the data for example by using the standard contractual clauses approved by the European Commission. Sensitive data is not transferred outside the EU and the EEA. Transferred data is processed only on behalf of INVL Life.
7 What Rights Do You Have?
You have for example the right to access your data, the right to rectify inaccurate data and the right to erasure as described in more detail below. Please also note that INVL Life has statutory obligations to store some of the data and INVL Life may have an obligation to process or store your data even if you object to the processing or ask for the data to be erased.
You can use your rights described below by contacting our customer service.
We will respond to your request within one month of receiving the request. In special circumstances we can extend the time limit by two months as allowed by legislation, taking into account the complexity and number of the requests.
7.1 The Right of Access by the Data Subject
You have the right to receive confirmation on whether or not INVL Life is processing your personal data. If your personal data is being processed, you have the right to access the data and to receive a free of charge copy of the data. The confidentiality obligations set in the legislation applicable to the insurance and finance sector (for example the act on detecting and preventing money laundering and terrorist financing) may restrict the use of your right to access information.
7.2 The Right to Rectification
You have the right to request that INVL Life rectifies any inaccurate personal data and completes any incomplete data.
7.3 The Right to Erasure (the Right to Be Forgotten)
You have the right to request the erasure of your data and if the processing of your data is based on your consent, the right to withdraw your consent. If you request the erasure of your data or withdraw your consent, we will delete the data unless there are other legal grounds for the processing or unless we have a statutory obligation to store the data. In any case, we will delete your data after the retention period has ended.
7.4 The Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data in cases where the conditions set in legislation are met. Please also note that the right to restriction of processing does not apply to the processing of personal data carried out to fulfil the statutory obligations of INVL Life.
7.5 The Right to Data Portability
If the processing of your personal data is based on your consent or the performance of a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have electronical data transferred to another data controller.
7.6 The Right to Object
You have the right to object to the processing of your personal data if the processing is based on the legitimate interests of INVL Life or a third party.
You also have the right to object to the processing of your personal data for direct marketing purposes.
7.7 The Right to Lodge a Complaint
If you find the processing of your personal data in conflict with the applicable legislation, you have the right to lodge a complaint with the data protection authorities.
In addition to managing the customer relationship we use personal data for marketing our services and products. The marketing is carried out online, by mail and by telephone. The marketing can be targeted at the current and potential customers of INVL Life. In addition to marketing, we also contact our customers with customer communications. As regards the members of the institutional customers of INVL Life, we only market to the members who have given us their consent for marketing.
Our online marketing consists of for example e-mails, online advertisements or online campaigns on social media environments (for example Facebook or LinkedIn). Our e-mails include newsletters for different customer groups and for example event invitations. We use partner companies to target our online advertising for example so that people are shown ads related to products and services whose pages they have visited before. The targeting of advertising takes place automatically and utilizes cookies, and the data used is not connected with the data related to the insurances or investments of the customer.
8.1 Opting Out of Marketing
You can manage your e-mail subscriptions through our customer service. In addition, each e-mail message includes a link through which you can unsubscribe. You can also opt out of marketing communications by contacting our customer service.
Cookies are small text files that are stored on the visitor’s computer or other device when visiting the websites of INVL Life. Cookies are used for example to maintain the session after the user logs in to the web service and to remember the selections made by the user when moving from one page to another. We can also utilize cookies for example to individualize website visitors and to compile statistics of the visits to our websites. Both session cookies and persistent cookies set by INVL Life and our partners are used on INVL Life digital services including web site.
9 How is Personal Data Protected and What Kinds of Risks Are Involved?
We use the necessary and appropriate technological and administrative data protection methods in accordance with the best practices to protect personal and other data. These methods include the use of firewalls, strong encryption techniques and secure facilities, access controls and the limited granting of rights, training of the staff as well as the careful selection of subcontractors. The subcontractors are contractually bound to comply with the applicable legislation and the data protection principles and guidelines of INVL Life.
The processing of personal data is only allowed for employees who need to use the data to carry out their tasks. The systems containing personal data have individual user accounts and the use of the systems is monitored. In addition to a statutory confidentiality obligation, INVL Life employees processing personal data are bound by confidentiality agreement. Personal data that is no longer necessary is deleted securely.
Despite careful and appropriate security measures, data processing always includes a risk. If a data security breach that is likely to result in a high risk to your privacy or other rights takes place despite the security measures, we will contact you as soon as possible.
10 Who Can I Contact?
If you have questions about data protection, you can contact our customer service in following countries and locations:
Lõõtsa 12, Tallinn 11415, Eesti
+ 372 6 812 300
Kronvalda bulvāris 3-3, Rīga, LV-1010, Latvija
Gynėjų g. 14, LT-01109 Vilnius, Lithuania
+370 8 700 55 959