- IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
The data controller of the DATA SUBJECT’s personal data is F. REGO – Corretores de Seguros, S.A. (Hereinafter referred to as F. REGO).
F. REGO, whose business is governed by Law No. 7/2019, of 16 January and the relevant regulation published by ASF, according to the category of insurance broker, under the terms of the contracts, protocols, agreements or conventions established with the Insurance Companies – companies that have received a permit from the competent authority of one of the Member States of the European Union for carrying out the insurance business (hereinafter called INSURANCE COMPANIES) – may have a wide range of forms and modes of relationship, business and performance models in relation to the INSURANCE COMPANIES, with effect on the purposes and means of processing the personal data of the DATA SUBJECT, and for this reason may act, with regard to data protection legislation, as the “Controller”, “Subcontractor” or as the “Joint Controller” of personal data, provided by the respective DATA SUBJECT while filling in the DOCUMENTS, irrespective of their support, directly or through third parties, or which have been generated by F. REGO, either in the context of prior contacts, or in the conclusion, performance, renewal or termination, through them, of the insurance contract or operation or which have resulted from them and concerning the DATA SUBJECT, whether in his/her capacity as policyholder, insured person, beneficiary or his/her representative, and also to claimants or third parties and their representatives.
PERSONAL DATA shall be processed by F. REGO, as appropriate, either as “Controller”, “Subcontractor” or as “Joint Controller”, for the purposes listed in item (D) below, in strict compliance with the provisions of the legislation in force on the protection of personal data.
- DATA PROTECTION OFFICER – DPO
The DPO shall perform his/her duties pursuant to articles 37 to 39 of the GDPR and article 11 of Law No. 58/2019 of 08 August.
Address: Avenida da República, 740 – 2º salas 23/24, 4430-190 – Vila Nova de Gaia
Telephone contact: 223745760
- PERSONAL DATA PROCESSING
The DATA SUBJECT’s personal data provided in the relationship established with F. REGO shall be processed in accordance with the legally applicable principles, namely:
- a. Processed in a lawful, fair, and transparent manner;
- b. Collected for specified, explicit and lawful purposes, and shall not be further processed in a manner incompatible with those purposes;
- c. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- d. Accurate and, if necessary, updated, assuring that appropriate measures shall be taken to ensure that data which is inaccurate or incomplete is erased or rectified, considering the purposes for which data was collected or for which it is further processed;
- e. Kept in a form which allows the identification of data subjects for no longer than strictly necessary and within the scope of the law for the purposes of collection or further processing.
- PURPOSE AND LAWFULNESS OF DATA PROCESSING
The DATA SUBJECT’s personal data may be collected and processed by F. REGO in a lawful manner should the following situations occur:
- a. The DATA SUBJECT has given consent to the processing of his or her personal data for one or more specific purposes;
- b. Compliance with legal obligations that F. REGO is subject to, in particular with supervisory, tax or judicial authorities;
- c. Implementation and management of the Insurance Contract and Insurance Brokerage, or for pre-contractual proceedings, with the intervention of F. REGO.
Data processing of the DATA SUBJECT’s personal data is carried out on the basis of the implementation of the Insurance Contract and Insurance Brokerage or for pre-contractual proceedings and in compliance with the legal obligations imposed on F. REGO, namely in supervisory, tax, or legal matters (see article 6.1(b)(c) and article 9.2(b)(h) of the GDPR).
Additionally, the personal data collected under subparagraph (a) is for F. REGO to carry out research and commercial activities, as well as to manage the Insurance Contract and Insurance Brokerage (see artic 6.1(a) of the GDPR) and in the legitimate interests of F. REGO or third parties to develop and grow its business (see article 6.1(f) of the GDPR).
- PERSONAL DATA REQUIRED FOR THE FULFILMENT OF A LEGAL OBLIGATION AND CONTRACTUAL PERFORMANCE OR PRE-CONTRACTUAL PROCEEDINGS
Unless the DATA SUBJECT provides F. REGO with his or her personal data, whenever the compliance with the purposes provided for in subparagraphs (a) and (b) of item (D) above is involved, the relevant contract shall not be signed and the DATA SUBJECT may default on the contract; in addition, the provision of said data is a legal, contractual or pre-contractual obligation on the part of the DATA SUBJECT.
If the DATA SUBJECT fails to provide F. REGO with his or her personal data in accordance with the above terms, the latter will be unable to comply with its legal and contractual obligations; besides, where such personal data is required for the conclusion of any insurance contract and its performance, INSURANCE COMPANIES will not accept any contract arranged by F. REGO if no such personal data is provided.
- INDIRECT COLLECTION OF PERSONAL DATA
F. REGO may collect information concerning the DATA SUBJECT that is considered relevant for the assessment of the risk to be insured and set, by the INSURANCE COMPANIES, with the intervention of F. REGO, the contractual conditions of the insurance, from sources that the public, public bodies, associations of the sector, existing computer platforms or specialized companies can access, to complement or confirm the information provided by the DATA SUBJECT, for the management of the pre-contractual and contractual insurance relationship, through F. REGO, including the carrying out of insurance brokerage business in accordance with the specifically applicable legislation, in the framework of the compliance with its duties of information, clarification, transmission, advice, assistance and registration imposed as per the said legislation.
- TELEPHONE CALL RECORDINGS
In the telephone contacts between the DATA SUBJECT and F. REGO, within the scope of its business, the latter may, if applicable, record the calls, subject to prior information and consent given by the DATA SUBJECT, for the management of the pre-contractual and contractual relationship, through F. REGO, and the compliance with the legal and judicial obligations, namely, as evidence of information or instructions given, as well as for the improvement of the services offered or engaged, and also for their quality control.
- RECIPIENTS AND CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The DATA SUBJECT’s personal data may be communicated, subject to a non-disclosure agreement, to other companies in an existing or future dominant or group relationship (Group) that F. REGO integrates or will integrate, whose credentials and contact details may be, at any time, requested to the Personal Data Protection Contact, and may be processed by other entities in relation to which F. REGO certifies, if applicable, as “Subcontractor” or “Joint Controller”, as to whom F. REGO has subcontracted its processing, as well as its insurance co-brokers or People Directly Involved in the Insurance Distribution Business (PDEADS). The F. REGO’s personal data may also be processed by other INSURANCE COMPANIES or co-brokers in the context of the settlement of claims.
For the purposes described and in compliance with legal obligation, the F. REGO’s personal data may be transmitted to legal, administrative, supervisory or regulatory authorities, as well as to entities that legally regulate or perform data collection activities, fraud prevention and fighting activities, market researches, or statistical or technical-actuarial studies.
- HEALTH DATA
In case of some risk coverage to be transferred from the DATA SUBJECT (namely, in health insurance, personal accident insurance or others), which falls within the category of special and sensitive data, the submission, proposal, conclusion or performance of the insurance contract, with the legal and/or contractual intervention of F. REGO, involves or may involve the processing of data relating to the DATA SUBJECT’s health, either in the context of the pre-contractual relationship, for the identification, analysis of the proposed risk and setting of the contractual conditions, or in the context of the management of the contractual relationship, use of the cover, claims management, as well as in processes of renewal and contractual alterations.
F. REGO shall process the data in question, either as “Controller”, “Subcontractor” or as “Joint Controller”, for the above mentioned purposes, subject to the consent of the DATA SUBJECT or his/her representative, without prejudice to cases where processing is based on different lawfulness grounds (such as for the purpose of complying with obligations and exercising rights specific to F. REGO, the INSURANCE COMPANIES, third parties or the DATA SUBJECT himself/herself, within the scope of labor law, social security and social protection insofar as such treatment is permitted by the European Union or Member State law or a collective agreement providing for adequate safeguards of the fundamental rights and interests of the DATA SUBJECT). In these cases, the INSURANCE COMPANIES will not accept any insurance contract, concluded through F. REGO, unless health data relating to the DATA SUBJECT can be processed; without such processing, making the proposed risk analysis, signing the insurance contract, transferring the risk, placing and accepting the desired coverage or even maintaining the contract in force with the INSURANCE COMPANIES would be impracticable.
The health data processing shall be governed by the principle of the need for knowledge of the information. In doing so, F. REGO shall ensure that all appropriate security measures are taken to safeguard the information and shall ensure that all workers with access to the data strictly comply with the duty of confidentiality.
The DATA SUBJECT shall be notified of any access to his/her personal data through traceability and notification mechanisms provided by F. REGO.
F. REGO shall process the health data within the terms and limits provided for in article 29 of Law No. 58/2019 of 8 August.
- RIGHTS OF THE PERSONAL DATA SUBJECT
In accordance with the GDPR, the DATA SUBJECT may request, at any time:
- a) Access to his or her personal data: he or she has the right to obtain confirmation as to whether or not personal data concerning him or her is being processed and, if so, the right to access his or her personal data and the information provided for in the GDPR.
- b) The rectification of his or her personal data: he or she has the right to obtain, without undue delay, from F. REGO the correction of inaccurate personal data concerning him or her.
- c) Deletion of his or her personal data: he or she has the right to have his or her personal data deleted immediately without undue delay by F. REGO and F. REGO must delete the personal data without undue delay where one of the following reasons applies, namely: (1) personal data that is no longer required for the purpose for which it was collected or processed; (2) the DATA SUBJECT withdraws the consent on which the data processing is based (where it is based on consent) and there is no other legal ground for its processing; (3) the DATA SUBJECT objects to the processing and there is no overriding legitimate interest justifying the processing;
- d) To limit the data processing performed: the DATA SUBJECT has the right to request F. REGO to limit the data processing, if one of the following situations occurs: (a) to object the accuracy of the personal data for a period enabling the controller to verify its accuracy; (b) the processing is unlawful and the data subject objects to the deletion of the personal data and instead requests the limitation of their use; (c) F. REGO no longer needs the personal data for processing purposes, but such data is required by the DATA SUBJECT for the purpose of declaration, exercise or defense of a right in legal proceedings; (d) the DATA SUBJECT has objected to the processing until it is established that the legitimate grounds of F. REGO prevail over those of the DATA SUBJECT.
- e) The right to object to the processing: when data is processed for the purpose of F. REGO’s legitimate interest, the DATA SUBJECT has the right to object, at any time, on grounds relating to his/her particular situation, to the processing of personal data concerning him/her. F. REGO shall cease processing personal data unless it provides compelling legitimate grounds for such processing that override the interest, right, and freedom of the data subject, or for the purposes of asserting, exercising or defending a right in judicial proceedings.
- f) The right to data portability: the DATA SUBJECT has, under the terms and conditions determined by law, the right to receive personal data that concerns him or her and that he or she has provided to F. REGO, in a structured, commonly used and automatically readable format, and the right to transmit such data to another controller without the controller to whom the personal data has been provided being able to prevent it, provided: (a) Processing is based on consent or on a contract; and (b) Processing is performed automatically.
If the requests made by the DATA SUBJECT are clearly unfounded or excessive, in particular because of their repetitive nature, F. REGO may (i) demand the payment of a reasonable fee taking into account the administrative cost of providing the information or communications or of taking the action requested, or (ii) refuse to comply with the request.
With regard to the personal data processed by F. REGO based on the consent given by the DATA SUBJECT, the right to withdraw consent shall be granted, without the exercise of such right being likely to compromise the lawfulness of the processing accomplished on the basis of the previously given consent, or the subsequent processing of these data, based on another legal ground, such as the compliance with a contractual or legal obligation which F. REGO is subject to.
Furthermore, the DATA SUBJECT has the right to file a complaint with the National Commission for Data Protection.
- STORAGE PERIOD FOR PERSONAL DATA
- 1. Unless otherwise required by law or regulation, the personal data collected shall be stored for a minimum period necessary for the original purposes for which they were collected or further processed.
- 2. Without prejudice to the previous paragraph, the DATA SUBJECT’s personal data collected by F. REGO shall be stored for the following periods:
- a) Purposes whose processing is based on the performance and management of the insurance contract and insurance brokerage or pre-contractual proceedings – Until the expiry of the statutory limitation period for all obligations arising from the insurance contract and the related insurance brokerage business. If no contract has been entered into, the data collected in the pre-contractual phase for which no special storage period exists shall be deleted six (6) months after the last contact made between F. REGO and the DATA SUBJECT.
- b) Purposes whose processing is based on consent or legitimate interest – One year after the end of the contractual and legal relationship.
- c) Purpose whose processing is based on the compliance with a legal obligation – Deadline applicable at each moment for each legal obligation to be met, until the period for exercising the rights expires or lapses.
- d) Purpose relating to the Recording of telephone calls – As per the deadlines specified in the resolutions of the National Commission for Data Protection (CNPD) that establishes the principles applicable to the processing of telephone call recording data, namely Resolution No. 1039/2017.
- 3. The DATA SUBJECT’s right of deletion may only be exercised after the expiry of the data storage period prescribed by law
- AUTOMATED DECISION MAKING
Within the scope of the subscription and renewal of insurance contracts or operations, the INSURANCE COMPANIES may resort to automated decision-making solutions which are required for the conclusion and performance of the relevant insurance contract or operation, through F. REGO, using the information on the policy-holder or the insured, collected in the context of the management of the contractual or pre-contractual relationship, from which decisions may be taken regarding the contractual conditions applicable to the subscription or renewal.
The DATA SUBJECT may also request, from the Personal Data Protection contact, more detailed information on the logic involved in the processes in question, in the context of the subscription and renewal of contracts, through F. REGO, namely on the information taken into account, for the purpose of making exclusively automated decisions and the way in which it integrates the decision making process of the INSURANCE COMPANIES. In all cases where INSURANCE COMPANIES take decisions solely on the basis of automated data processing, the relevant processes shall incorporate at least mechanisms which give the data subject the possibility to:
- a. express his or her point of view;
- b. object the decision; and
- c. request and obtain from the INSURANCE COMPANIES, directly or through F. REGO, human intervention in the decision-making review process.
- PERSONAL DATA PRIVACY AND PROTECTION
F. REGO applies appropriate technical and organizational measures to ensure a level of security appropriate to the risk by keeping personal data of the DATA SUBJECT on file.
F. REGO has an IT system capable of resisting, with a high level of confidence, accidental events or malicious or unlawful actions that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted, as well as the security of the related services offered or accessible through these networks and systems.
- INTERNATIONAL TRANSFER OF DATA TO OTHER ENTITIES
The personal data collected shall not, as a rule, be transferred to any entity established outside the territory of the European Union.
Exceptionally, and subject to certain conditions, F. REGO may transfer the DATA SUBJECT’s personal data to countries outside the territory of the European Union, in accordance with the applicable legislation, in particular for the purposes of data hosting or storing, technical processing subcontracting, back-up and recovery of the data stored, service development.
F. REGO shall not transfer any personal data to countries that fail to guarantee an adequate level of protection according to the GDPR.
The DATA SUBJECT who has suffered any damage as a result of the lawful processing of data in breach of the provisions of the GDPR or of Law No. 58/2019, shall be entitled to obtain compensation from F. REGO or from the subcontractor for the damage suffered.
F. REGO or its subcontractors shall not incur civil liability if they are able to prove that the damage is not caused by them.
The degree of advertising of any important amendment shall follow its relevance, either by highlighting it in the online posting, or, if the relevance so justifies, by personal communication to the DATA SUBJECTS.
Updated on 1 June 2020.