Information on personal data processing following Article 13 of the General Data Protection Regulation (GDPR)
I. Who is the controller of your personal data and who is the processor?
Addiko Bank d.d., Dunajska 117, 1000 Ljubljana (the “Bank”) enables the conclusion of travel insurance via Addiko Mobile in cooperation with Uniqa d.d., Planinska 13A, 10000 Zagreb, Croatia (“Uniqa”).
Roles:
• Uniqa is the data controller for the processing of personal data needed to prepare, conclude and manage the travel insurance contract. Information on the processing of personal data by Uniqa is available here: Uvjeti korištenja – UNIQA osiguranje.
• The Bank acts as Uniqa’s data processor only for the technical step of transferring the data you request to be forwarded via Addiko Mobile.
Contacts:
• the Bank’s Data Protection Officer: dpo.si@addiko.com, and
• Uniqa: dpo@uniqa.hr.
II. Which personal data are processed, for what purpose, on which legal basis, from which sources?
To enable Uniqa to prepare and conclude your travel insurance contract, the Bank transfers the following data from its customer records to Uniqa:
• name and surname,
• date of birth,
• residential address,
• bank-issued unique identification number,
• state-issued tax number,
• email address, and
• telephone number.
Purpose: enabling the preparation and conclusion of the travel insurance contract in Uniqa’s embedded flow.
Legal basis: Uniqa processes your data for pre-contract steps and conclusion of the insurance contract on the basis of Article 6(1)(b) GDPR; details are in Uniqa’s privacy information see link above). The Bank processes the transfer as a processor on Uniqa’s instructions.
Source of data: the Bank’s customer records.
III. Further processing of personal data
As explained above, the transfer of identification data to Uniqa is a prerequisite for continuing the process of concluding an insurance contract.
IV. Is the individual obliged to provide personal data?
Yes, for concluding travel insurance via Addiko Mobile, the transfer of the listed data to Uniqa is necessary. Without it, the insurance contract cannot be concluded via the app.
V. Recipients of personal data
Recipient of the transferred data: Uniqa (as controller).
Uniqa’s further recipients/processors (if any) are described in Uniqa’s privacy information.
VI. Automated decision-making and profiling
The Bank does not perform automated decision-making or profiling in connection with the transfer. Any automated processing by Uniqa is described in Uniqa’s privacy information.
VII. Data retention periods
Bank: the Bank retains minimal technical/accountability records of the transfer (e.g., evidence that the transfer occurred) for five (5) years after the end of the year in which the transfer occurred, as instructed by Uniqa.
Uniqa: retention related to the insurance contract is governed by Uniqa and described in Uniqa’s privacy information
VIII. Rights of the individual
You can exercise GDPR rights (Articles 15–21) depending on the role:
• Requests about insurance processing (contract conclusion/management): contact Uniqa: dpo@uniqa.hr.
• Requests about the Bank’s limited processing (transfer logs/records): contact the Bank at dpo.si@addiko.com.
In accordance with Articles 15 to 21 of the GDPR, the individual has the following rights:
• Right of access (Article 15): the right to obtain information on which personal data the bank processes, for what purpose, from which sources the data originate, and to whom they are disclosed.
• Right to rectification (Article 16): the right to request the correction of inaccurate or incomplete data.
• Right to erasure (Article 17): in certain cases, the right to request the deletion of personal data (for data retention periods, see Chapter VII of this document).
• Right to restriction of processing (Article 18): the right to request that the processing of personal data be temporarily restricted.
• Right to data portability (Article 20): the right to request that personal data be provided in a structured, commonly used, and machine-readable format.
• Right to object (Article 21): the right to object to processing where it is based on the Bank’s legitimate interests.
The individual also has the right to lodge a complaint with the supervisory authority, namely the Information Commissioner, which oversees the implementation of the GDPR, with its registered office at Dunajska 22, 1000 Ljubljana.
IX. Transfers to third countries
For the purposes of the transmission described in this notice, the Bank and Uniqa does not transfer personal data to third countries.