Search
Log in
1. Definitions and general provisions
1.1. For the purposes of these Terms and Conditions, a Data Subject is a natural person whose Personal Data is processed by the Insurer in connection with a Customer Relationship, including a natural person Customer, a representative of a legal person Customer and/or a person related to a Customer Relationship.
1.2. Data processing is any operation, automated or not, which is performed upon Personal Data (including collection, consultation, reading, recording, organisation, structuring, storage, alteration, retrieval, use, disclosure, deletion, destruction, etc.).
1.3. Personal Data is any information about an identified or identifiable person (Data Subject).
1.4. General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. The Insurer (Controller) is Elama Kindlustus AS, registry code 10089395, Liivalaia 45, Tallinn, Republic of Estonia, tel: +372 6410 436, e-mail: elama@elama.ee, website: https://www.elama.ee.
1.6. A customer relationship is a legal relationship that arises between the Customer and the Insurer when the Customer uses, has used, or has expressed a wish to use, any of the Services provided by the Insurer.
1.7. Persons related to the Customer Relationship are natural persons (including persons representing legal entities) whose Personal Data the Insurer is entitled and obliged to process by virtue of the Customer Relationship, the insured event and/or the law (including insured persons, beneficiaries, owners and users of vehicles involved in the insured event), persons responsible for the loss or damage, injured parties, witnesses to the loss or damage, other persons in relation to whom the controller has a legitimate interest in processing personal data) in order to exercise the rights and obligations of the Insurer under the contract with the Customer, under the law, the General Data Protection Regulation or other relevant legislation.
1.8. A Customer is any natural or legal person who uses, has used or has expressed the intention to use the Services provided by the Insurer.
1.9. A Third Person is a person who is neither the Customer nor an employee of the Insurer.
1.10. A Service is a service provided by the Insurer to the Customer.
1.11. A Processor is a person who processes Personal Data on behalf of the Insurer.
2. General principles on the processing of personal data
2.1. The processing of personal data by the Insurer shall be carried out in accordance with the requirements set out in the General Data Protection Regulation, the Personal Data Protection Act, the Insurance Activities Act, the Motor Insurance Act, the recommendations of supervisory authorities and other relevant legislation, and these Terms and Conditions.
2.2. The Insurer shall ensure the lawfulness, fairness and transparency of the processing of Personal Data.
2.3. The Insurer shall ensure that Personal Data is collected for specified, explicit, and legitimate purposes and is not processed in a way that is incompatible with those purposes.
2.4. The Insurer shall ensure that the Personal Data is adequate, relevant and limited to what is necessary for the purposes for which they are processed.
2.5. The Insurer shall ensure that the Personal Data is accurate and, where necessary, kept up to date and that all reasonable steps are taken to ensure that Personal Data which is inaccurate for the purposes for which it is processed is erased or rectified without undue delay.
2.6. The Insurer shall ensure that Personal Data is processed in a manner that ensures appropriate security of Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.
2.7. The Insurer shall require Third Parties whom Personal Data is transferred or disclosed to under these Terms and Conditions to comply with the security and confidentiality rules set out by the Insurer.
3. Composition of Personal Data processed
3.1. The Insurer processes the Personal Data of Data Subjects that the Insurer has obtained in the course of the Customer Relationship, including data provided by the Customer, data received from Third Parties, data obtained by the Insurer in the course of handling insurance claims and data in the public domain (e.g. from public registers and data published on the internet).
3.2. The main types of Personal Data processed by the Insurer are:
3.2.1. identifying data (including name, personal identification number, date of birth, identity document details, residence, nationality, etc.) processed to establish the identity of the Data Subject and to fulfil the legal obligations of the Insurer;
3.2.2. contact information (including address, telephone number, email address, etc.) of the Data Subjects processed for the purposes of managing Customer relationships, providing Services to Customers, fulfilling the Insurer’s legal obligations, and protecting the interests of Data Subjects and the Insurer;
3.2.3. data relating to the Customer’s contracts (including details of concluded and/or terminated contracts, details of vehicles related to the contracts and insured events, applications, statements, fees related to the contracts, breaches of contract, etc.), which are processed in order to provide the Customer with the Services, manage Customer relationships, fulfil the Insurer’s legal obligations and protect the interests of the Customer and the Insurer;
3.2.4. data relating to the Customer’s reliability (e.g. payment history, data concerning the application of an international sanction) processed in order to fulfil the Insurer’s legal obligations and to provide Services to the Customer;
3.2.5. data obtained in the course of the performance of the Insurer’s statutory obligations (e.g. data resulting from inquiries by notaries, bankruptcy administrators, bailiffs, data resulting from inquiries and claims of other insurers in connection with the handling of insurance cases, etc.), which are processed in order to fulfil the legal obligations of the Insurer;
3.2.6. data on Customer satisfaction and preferences (e.g. data on the activity of using the Services, on the Services used, data related to Customer requests and complaints, etc.), which are processed in order to fulfil the legal obligations of the Insurer, to provide additional services to the Customer, to conduct customer surveys and to carry out statistical analysis;
3.2.7. photographs and videos relating to insured events handled by the Insurer, which are processed in order to fulfil the Insurer’s legal obligations and to prove, exercise, and defend legal claims;
3.2.8. health information relating to insured events handled by the Insurer, which are processed in order to fulfil the Insurer’s legal obligations and to prove, exercise and defend legal claims;
3.2.9. data relating to the commission of or falling victim to an offence by persons involved in insured events covered by the Insurer, which are processed in order to fulfil the legal obligations of the Insurer and to prove, exercise, and defend legal claims.
4. Purposes and legal grounds for processing personal data
4.1. The insurer shall process Personal Data:
4.1.1. for the identification of Data Subjects, whereby the processing is based on the implementation of pre-contractual measures at the request of the Customer, the performance of a contract with the Customer, the fulfilment of a legal obligation by the Insurer or the legitimate interest of the Insurer;
4.1.2. pre-contractual activities, including the assessment of the Customer’s needs and insurance risks related to the Customer, the verification of the Customer’s reliability, whereby the processing is based on the implementation of pre-contractual measures at the request of the Customer, the fulfilment of a legal obligation by the Insurer or the legitimate interest of the Insurer;
4.1.3. for creating a customer relationship, including making an insurance offer to the Customer, concluding a contract with the Customer (including issuing an insurance policy), whereby the processing is based on the implementation of pre-contractual measures at the request of the Customer, the performance of a contract with the Customer, the fulfilment of a legal obligation by the Insurer or the legitimate interest of the Insurer;
4.1.4. for the performance of the contract with the Customer, including for the purposes of making enquiries, preparing statements and replies, handling claims in relation to insurance events, making decisions relating to the performance of the insurance contract, whereby the processing is based on the performance of the contract with the Customer, the fulfilment of a legal obligation of the Insurer or the legitimate interest of the Insurer;
4.1.5. for the purposes of the exercise of the rights and obligations of the Insurer arising from the contract concluded with the Customer and/or from applicable law (e.g. recovery procedures), whereby the processing is based on the performance of a contract concluded with the Customer, the fulfilment of a legal obligation of the Insurer or the legitimate interest of the Insurer;
4.1.6. for the purpose of statistical and financial analysis, whereby the processing is based on the fulfilment of a legal obligation or the legitimate interest of the Insurer;
4.1.7. for the purpose of developing the Insurer’s services, whereby the processing is based on the fulfilment of a legal obligation or the legitimate interest of the Insurer;
4.1.8. for the purposes of verifying the Personal Data of Data Subjects, entering, reading, correcting, supplementing, deleting, storing, transferring and transmitting to third parties the Personal Data of Data Subjects, whereby the processing is based on the implementation of pre-contractual measures at the request of the Customer, the performance of a contract with the Customer, the fulfilment of a legal obligation of the Insurer or the legitimate interest of the Insurer or a request of the Customer;
4.1.9. for the purpose of defending the infringed rights of the Insurer, whereby the processing is based on the fulfilment of a legal obligation or the legitimate interest of the Insurer;
4.1.10. for the purposes of offering new Services to the Customer, conducting customer surveys or other purposes related to direct marketing, whereby the processing is based on the Customer’s consent or the Insurer’s legitimate interest.
5. Disclosure and transfer of Personal Data to Third Parties
5.1. The Insurer will disclose and/or transfer the Personal Data of Data Subjects where necessary:
5.1.1. in relation to performance of the Customer contract (including handling insurance claims), to related persons (e.g. translation service providers, IT service providers);
5.1.2. to public registers (e.g. civil register, traffic register or other register) in order to ensure that the Personal Data corresponds to the data in the Insurer’s database, to ensure the accuracy and relevance of the Personal Data, and to obtain additional information necessary to clarify the circumstances of the insured event;
5.1.3. to other insurers in the event of a legitimate interest arising from their handling of the insured event;
5.1.4. to the insurer’s Processors (e.g. insurance agents, claims handling companies, reinsurance companies, Estonian Insurance Association);
5.1.5. to the Financial Intelligence Unit to comply with a legal obligation (e.g. the Insurer’s obligations under the International Sanctions Act);
5.1.6. to the auditors and legal advisers of the Insurer, if the Personal Data is necessary for them to provide auditing and/or legal services to the Insurer;
5.1.7. to other Third Parties in connection with the exercise of the Insurer’s rights and obligations arising from the contract concluded with the Customer or from legislation (e.g. motor insurance register, bankruptcy administrators, investigative bodies, courts, bailiffs, Data Protection Inspectorate, Financial Supervision Authority);
5.2. the Insurer will disclose and/or transfer the Personal Data of Data Subjects to Third Parties only to the extent necessary to achieve the purposes set out in Clause 4 of these Terms and Conditions.
5.3. In general, Personal Data of Data Subjects is processed within the European Union/European Economic Area (EU/EEA), but in some cases it is transferred to and processed in countries outside the EU/EEA. The processing of Personal Data of Data Subjects outside the EU/EEA may take place provided that there is a legal basis, e.g. performance of the Insurer’s legal obligations or the Customer’s consent, and that appropriate safeguards are in place (e.g. the country outside the EU/EEA where the recipient is located has an adequate level of data protection in place in accordance with the European Commission Decision or there is a valid contract containing standard terms and conditions developed by the EU and approved codes of conduct) or other similar measures that comply with the General Data Protection Regulation.
6. Personal Data received from Third Parties
6.1. A state or local authority, health care provider or other Third Party is allowed to transfer or provide access to the Data Subject’s Personal Data in the event of an insured event without the Customer’s consent, if the Personal Data is necessary for the Insurer in connection with the performance of the insurance contract, enforcement or recovery.
6.2. The Insurer shall record and use Personal Data obtained from Third Parties, such as:
6.2.1. Personal Data obtained from public registers (e.g. commercial register, civil register, traffic register, etc.) to verify the accuracy of the Personal Data;
6.2.2. Personal Data received from the Financial Intelligence Unit in connection with the performance of the Insurer’s obligations under the International Sanctions Act;
6.2.3. Personal Data obtained from the motor insurance register in connection with the handling of motor insurance claims;
6.2.4. Personal Data from the register of persons at increased risk (KRI) managed by Estonian insurance companies;
6.2.4. Personal Data received from Third Parties in the exercise of the Insurer’s rights and obligations referred to in Clause 6.1.
7. Processing of Customer’s Personal Data for direct marketing
7.1. With the Customer’s consent, the Insurer has the right to process the Customer’s Personal Data (e.g. name, contact details, Services used by the Customer) in order to provide the Customer with additional insurance services and marketing information about those services.
7.2. With the consent of the Customer or in the case of a legitimate interest of the Insurer, the Insurer has the right to use and process the Customer’s Personal Data (e.g. name, contact details, Services used by the Customer) in order to carry out customer surveys, to store the data obtained, to analyse the data and to use the data for the purpose of offering new additional insurance services to the Customer.
8. Processing of Customer’s Personal Data for direct marketing
8.1. The Insurer has the right to record all requests for information, orders given, conversations carried out and, if necessary, to use these recordings for the purpose of verification and/or reproduction of orders or other actions, execution of insurance contracts, servicing of the Customer and other purposes mentioned in Clause 4 of these Terms and Conditions.
9. Automated decisions and profiling
9.1. In the case of automated decision making, the Insurer shall use its database and systems to make decisions based on the information that the Insurer has about the Customers.
9.2. The Insurer will use, where necessary, Customer profiling as a means of automated processing of Personal Data (e.g. to provide Services that match the Customer’s preferences, to determine the prices of Services, for marketing purposes).
10. Customer’s rights in relation to the processing of their Personal Data
10.1. Access to own data
10.1.1. The Customer has the right at any time to access the Personal Data collected and used by the Insurer about them, the sources of such Personal Data, and the purposes for which it is used, by submitting a written request to the Insurer at the e-mail or postal address provided in Clause 12.1. above.
10.1.2. The Customer will be able to obtain information on how long the Insurer will keep their Personal Data and to what extent the Insurer will disclose their Personal Data.
10.2. Right to object
10.2.1. The Customer has the right to object to the processing of Personal Data relating to them if the processing of the Customer’s Personal Data by the Insurer is based on the legitimate interest of the Insurer or the consent of the Customer.
10.2.2. The Customer has the right to opt-out of the use of their Personal Data for direct marketing, including the related profiling.
10.3. Correction or deletion of Personal Data held by the Insurer
10.3.1. If, in the opinion of the Customer, the data held by the Insurer about them is inaccurate, incomplete or inappropriate, the Customer has the right to request the correction or deletion of their Personal Data (“right to be forgotten”), subject to the restrictions under applicable law and the rights of the Insurer in relation to the processing of the data.
10.3.2. The Customer shall inform the Insurer immediately of any changes to the information provided to the Insurer. For its part, the Insurer will regularly check if the Customer’s Personal Data is complete and correct.
10.5. Restrictions on the use of Personal Data
10.5.1. If the Customer finds that the data the Insurer has collected about them is not accurate, or if the Customer has objected to the use of their personal data, they have the right to request that the Insurer restrict the use of their Personal Data only by retaining it until it is possible to verify the accuracy of the data or to verify whether the legitimate interests of the Insurer outweigh the interests of the Customer.
10.5.2. If the Insurer needs the Customer’s Personal Data only for the purpose of pursuing or defending legal claims, the Customer may request that their Personal Data will not be used for any purpose other than storage. If the Customer has the right to request the deletion of their Personal Data, they may request the Insurer to not delete but to retain their Personal Data. The Insurer may also have the right to use the Customer’s Personal Data in other ways, if it is necessary to enforce claims or if the Customer has consented to this.
10.6. Withdrawing consent
10.6.1. If the consent of the Customer is required for the processing of the Customer Personal Data, the Customer may withdraw this consent at any time.
10.7. Transferability of Personal Data
10.7.1. If the Insurer processes the Customer’s Personal Data on the basis of the Customer’s consent or on the basis of a contract concluded with the Customer, and the processing is automated, the Customer has the right to receive a copy of the Personal Data provided by the Customer to the Insurer in an electronic machine-readable format by submitting a written request to the e-mail or postal address provided in Clause 12.1. above.
The Customer has the right to transfer this data to another Processor, if they wish to do so.
11. Storage of personal data
11.1. The Insurer shall retain the Personal Data for as long as is necessary for fulfilling the objectives of Customer’s data processing or performing the objectives arising from the legislation, also taking into account the term of expiry of claims arising from the contract.
12. Contact details in relation to requests concerning the processing of Personal Data
12.1. If the Customer has any questions regarding their rights in relation to the processing of their Personal Data or the collection and use of Personal Data by the Insurer, the Customer may contact the Insurer’s Data Protection Officer at the following contact details:
Elama Kindlustus Data Protection Officer, Liivalaia 45, Tallinn 10145, Republic of Estonia; e-mail: andmekaitse@elama.ee
12.2. If the Customer did not obtain a satisfactory outcome by contacting the Data Protection Officer, they may contact the Insurer at the following contact details: Elama Kindlustus AS, Liivalaia 45, Tallinn 10145, Republic of Estonia; e-mail: elama@elama.ee.
12.3. In addition to what is mentioned in Clause 12.2., the Customer has the right to contact the supervisory authority of the Insurer at the following contact details:
Data Protection Inspectorate, Tatari 39, Tallinn 10134, tel. +372 627 4135, e-mail: info@aki.ee, website: www.aki.ee
13. Amendment and application of the Terms and Conditions
13.1. The Insurer has the right to unilaterally amend these Terms and Conditions in accordance with the legislation in force.
13.2. The Insurer shall notify Customers of any changes to these Terms and Conditions on the Insurer’s website www.elama.ee at least 1 (one) month before the changes enter into force, unless the changes to the Terms and Conditions are made solely as a result of changes to legislation.
13.3. These Terms and Conditions apply to the processing of all Personal Data of Data Subjects by the Insurer. These Terms and Conditions shall also apply to Customer Relationships that have been established prior to the entry into force of these Terms and Conditions.