Skuld Privacy Notice
The purpose of this privacy notice is to inform individuals and possible data subjects about what Skuld does to protect personal data and comply with the European “General Data Protection Regulation” (GDPR).
“Personal data” means information relating to an identifiable natural person (the data subject), who can be identified directly or indirectly.
“Processing” means any operation or set of operations which is performed on personal data, such as collection, recording, storage, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction.
“Skuld” means Assuranceforeningen Skuld (Gjensidig), Norway, its branches and subsidiaries as listed in Skuld’s Statutes and Skuld Mutual P&I Association (Bermuda) Ltd.
Skuld is data controller (“Controller”)
The controller determines the purposes and means of processing personal data in Skuld. The President & CEO is the ultimate responsible and the Head of respective Business Unit (BU) is the daily responsible in business units in Oslo (Oslo1 and 2), Offshore, Bergen, London, Copenhagen, Hamburg, Piraeus, Hong Kong, Singapore and New York. Skuld’s has its head office in Oslo, and you will find the addresses and contact information of all BUs on Skuld.com.
Data Protection Officer (DPO)
Skuld has appointed a DPO to advise and inform staff, monitor compliance with GDPR and be the first point of contact to relevant supervisory authorities and for individuals whose data is processed.
Why is Skuld processing personal data?
Skuld processes personal information for the purposes of:
- Providing and administering relevant insurance policies
- Administering and paying claims
- Performing checks to avoid fraud and financial crime
- Recruiting personnel and fulfilling duties as an employer
- Marketing, arranging events
What kind of data is collected?
Skuld may collect the following information:
- Contact data related to members, correspondents, brokers and/or other relevant connections to Skuld`s insurance business.
- Personal information and health information related to personal injury/illness claims.
- Information about current and/or former employees, personnel representatives and temporary manpower.
- Information about persons involved in a recruitment process
Skuld may also collect sensitive personal data (e.g. medical information) when needed to process personal injury/illness claims cases. This information will only be used for the specific purposes for which it was provided and to carry out agreed service.
Where information is obtained
Most personal data are obtained from the data subject directly. With respect of personal injury/illness claims, the personal information (inclusive health data) are obtained from members, correspondents and/or brokers.
The legal basis for lawful processing
Most of the contact information is processed because it is necessary for the performance of the insurance contract. Contact information processed for marketing purposes only, is based on consent when required.
Personal information and health information related to personal injury/illness claims are processed to fulfil the legal obligations of the Controller and such processing is necessary to process legal claims.
Employee information is processed as it is necessary for the performance of a contract. The use of employees’ photos is based on consent.
Transfer of personal data to third parties
Personal information is transferred to relevant welfare and tax authorities, Skuld`s pension and insurance broker and providers. Employees are offered some health services and in this case their contact information may be transferred to the health service provider. The same will apply to employee information in other jurisdictions Skuld operates.
Occasionally we may share personal data with lawyers in connection with litigation, or service with regard to visa application to Norwegian authorities.
Personal information may be passed to other organizations to assist in fraud prevention and detection including, but not limited to, the police or any regulatory or government authority. Please contact us if you wish to learn more about this.
Trans-Border Data Transfers
To provide full benefit of our international service, we may transfer personal information to one of our offices within or outside the EU/EEA. There is restricted access to personal injury/illness claims. Every BU/Department in Skuld will have access to their own cases only, with the exception of claims handlers in the New York office and the claims management team.
General, contact information is available in Skuld’s IT systems for all Skuld employees. Such data transfers will be done for the same limited purposes as mentioned above and the data security is unchanged.
How long will personal data be retained
Retention of specific personal data may be necessary for one or more of the following reasons:
- To fulfil statutory or other regulatory requirements;
- To evidence events/agreements in case of disputes;
- To meet our operational needs;
- To save data for historical purposes.
Personal data that is collected and subsequently not used for any business purpose will be regularly reviewed and may be deleted.
The right to withdraw consent
In situations where Skuld requests and receives consent to perform processing, we are also obliged to stop such processing, if you as data subject decide to withdraw your consent. Withdrawing consent is as straightforward as giving consent. Withdrawing consent cannot be back-dated so it has no effect on processing already performed during the period of consent.
Data subject’s rights to access, change, delete, restrict, object, request a copy
You have the following rights regarding the personal data we store on your behalf:
- access to a copy of your personal data;
- object to certain processing;
- stop receiving direct marketing material;
- have inaccurate personal data rectified, blocked, erased or destroyed;
- claim compensation for damages caused by a breach of the GDPR.
Should you ever wish to exercise any of these rights, please contact the Data Protection Officer.
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure we have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the personal and confidential information we process.
Training of staff
We are committed to making staff aware of the requirements under relevant privacy legislation and GDPR. Our staff are aware that personal or sensitive data can only be disclosed in limited circumstances.
We are committed to meeting our obligations under the applicable local privacy legislation in addition to the EU regulation (2016/679) on the protection of natural persons with regard to the processing of personal data (GDPR) which also applies for EEA countries as Norway.