Introduction
Skuld takes personal data protection seriously and seeks to ensure that all data subjects can be confident their personal data is safe in Skuld. In this privacy notice, we inform data subjects about what Skuld does to protect personal data and comply with the European "General Data Protection Regulation" (GDPR).
Personal data is information relating to an identifiable natural person (the data subject), who can be identified directly or indirectly. Personal data is necessary to provide the insurance services we have agreed with Skuld's members.
Processing personal data means any operation or set of operations which is performed on personal data, such as collection, recording, storage, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction.
Contact details
"Skuld" means Assuranceforeningen Skuld (Gjensidig) and its subsidiaries and entities of the Skuld group.
The head office is in Oslo, Norway, and contact details for all Skuld offices are available on https://www.skuld.com/contacts/.
Data subjects
"Data subjects" in this context refers to:
- Individuals associated with Skuld's insurance agreements and claims, including claimants.
- Contacts vital for customer relationship management, such as members, brokers, and external service providers.
- Current and former Skuld employees, along with unsuccessful job applicants.
In essence, a data subject is any identifiable person whose personal data Skuld collects or processes.
Skuld as data controller
Skuld is a mutual marine insurance company. As a controller Skuld determines the purposes and means of processing personal data in Skuld. The President & CEO is the ultimate responsible and the daily responsible are the heads of the business units in Oslo, Bergen, London, Copenhagen, Hamburg, Piraeus, Hong Kong, Singapore, Tokyo, New York and Hamilton.
Use of data processors
Skuld may use suppliers (data processors), like IT service providers and cloud service providers to assist it with the processing of personal data on its behalf. This may occur, for example, when IT operations or the backing up of company data are outsourced to an external supplier.
Data Protection Officer (DPO)
Skuld has appointed a DPO for the entire Skuld Group, to advise and assist staff, monitor compliance with GDPR and be the first point of contact to relevant supervisory authorities and for data subjects whose data is processed.
The DPO in Skuld is:
Chief Compliance Officer
Email: compliance@skuld.com
Why we process data
Skuld processes personal data for various purposes such as recruitment, managing employee data, managing insurance policies and claims, avoiding financial crime, marketing, and handling complaints. The processing is necessary for the performance of contracts, compliance with legal obligations, and the legitimate interests pursued by Skuld.
Legal basis
Occasionally, Skuld obtains consent for personal data processing, providing a legal basis per GDPR Article 6(1)(a).
Skuld may process personal data concerning representatives who serve in Skuld Governing bodies as per GDPR Art. 6,1 (c).
Processing may also be necessary to manage insurance policies and for contract performance or pre-contract steps, including handling and payment of claims, or establishing managing contracts with employees or external parties as per GDPR Article 6(1)(b).
For marketing and events, Skuld uses personal data to provide information and market services. If the contact information is part of a contract, processing is necessary for legitimate interests (GDPR Art. 6,1 (f)). Consent is obtained before sending electronic newsletters (GDPR Art. 6,1 (a)).
To prevent financial crimes, Skuld processes personal information, required for legal obligation compliance (GDPR Art. 9, 2 (f)).
Additionally, Skuld may process data based on a balance of interests, per GDPR Article 6(1)(f), only processing data as necessary for specified purposes.
To handle complaints, Skuld processes complaints about their products, necessary for compliance with a legal obligation (GDPR Art. 6,1 (c)).
For special category or sensitive personal data related to fit and proper processes or in relation to members and claimants, processing may be necessary for legal claim establishment, exercise, or defense, per GDPR Article 9(2)(f).
What kind of personal data is processed
Skuld processes various types of personal data depending on the context. This can include contact data, recruitment data, employee data, data about members of governing bodies, consultant data, and health information related to claims. Skuld also collects contact data related to members (customers), brokers, correspondents, lawyers, service providers (e.g. technical surveyors) and other business contacts.
Additionally, Skuld processes health information as e.g. medical records, diagnosis and description of injury/illness when needed to handle personal injury/illness claims cases. This information will only be used for the specific purposes for which it was provided and to carry out agreed service. Access to personal injury/illness cases are restricted which means that Skuld offices/business units have access to claims cases which are processed within their area of responsibility.
Where personal data is obtained from
Personal data is primarily obtained from the data subject directly, but may also be obtained from other sources in certain contexts, such as recruiting agencies or in relation to claims.
This includes any personal data provided by data subjects to Skuld through e.g. questionnaires, forms, skuld.com, claims online and emails, including emails exchanged with the Skuld's personnel.
Transfer of personal data
Personal data may be transferred externally and within Skuld. This includes transfers to non-EU/EEA countries, whose data privacy laws do not offer the same level of protection as Norway. Sometimes it is necessary to transfer personal data to members, correspondents, lawyers and brokers. This might be claims information and/or contact information.
Data transfers abroad may also occur since Skuld has subsidiaries outside of the EEA/EU that assist with the processing of personal data. Skuld is an international marine insurer which operates (globally) through a worldwide office network. All Skuld subsidiaries and entities in Skuld have a duty of confidentiality. All personal data processed in the Skuld group is received and stored in IT systems which are managed by the Head office in Oslo.
Skuld has ensured adequate security within all offices and has also established needed agreements between offices to ensure adequate level of security. Personal data processed in Skuld is confidential and shall only be available for staff who are authorised and need the information to perform their duties. Skuld New York has access to all personal injury/illness cases in Skuld, as they provide claims service to all Skuld business units (offices).
Transfer via email within Skuld is encrypted by default. In some occasions we send emails with health information externally to correspondents, crew agencies, lawyers or brokers when handling claims cases. These transfers are encrypted.
Recipients of personal data
Personal data may be shared with various recipients depending on the purpose for transferring the personal data. Skuld shares personal data with various recipients based on the purpose of data transfer:
- Contact data may be shared with members, correspondents, and brokers during the underwriting or claims process.
- Personal data may be shared with lawyers for claims handling and litigation.
- Skuld may assist with visa applications for participation in seminars, events, and meetings, requiring sharing of personal information with Norwegian authorities.
- Skuld may report personal data to the Norwegian National Authority for investigation and Prosecution of Economic and Environmental Crime (ØKOKRIM) and other organizations to prevent and detect fraud and financial crimes.
How long personal data is retained
Retention of personal data is necessary for various reasons such as to fulfil statutory or regulatory requirements, to evidence agreements in case of disputes, and to meet our operational needs. The retention period varies depending on the type of data the purpose of the processing, statutory or other regulatory requirements and the relevant context. Personal data will only be stored for as long as necessary and shall then be erased.
Personal data processed in connection with claims will be retained if the case is not time barred. This may vary depending on what type of claims are processed and which jurisdiction applies.
The right to withdraw consent
In situations where Skuld requests and receives consent to perform processing, Skuld is also obliged to stop such processing if the data subject decides to withdraw the consent.
Data subject's rights
Data subjects have several rights under GDPR:
- Access: Data subjects can access and obtain a copy of their personal data stored in Skuld.
- Rectification: Data subjects can have inaccurate or incomplete data rectified.
- Erasure: Data subjects can request data erasure under certain conditions, such as if the data is no longer necessary, if consent is withdrawn, or if the data was unlawfully processed.
- Data Portability: Data subjects can obtain and reuse their personal data across different services, mainly applicable to information provided to Skuld.
- Right to Object: Data subjects can object to their personal data processing under certain circumstances and can stop their data being used for direct marketing.
- Complaint: If dissatisfied with Skuld's data processing, data subjects can contact the DPO and/or file a complaint to the Norwegian Data Protection Authority or a relevant local supervisory authority.
Security
Skuld is committed to ensuring that personal data is secure. In order to prevent unauthorized access or disclosure Skuld has put in place appropriate physical, electronic and administrative procedures to safeguard and secure the personal and confidential information we process.
Cookies
Cookies are small pieces of data sent from a website and stored in a user's web browser, enhancing the performance of our website and providing a better user experience.
Cookies are used to track visits to our site, enabling us to understand which parts are most popular, the duration of visits, and visitor behaviour. This aids us in tailoring our information to user needs.
We do not sell or share the information collected by cookies. Please note that our website may contain links to other sites, and we are not responsible for their privacy practices.
Further information about cookies are available here: https://www.skuld.com/about/compliance/cookies/
Compliance
We are committed to meeting our obligations under the applicable local privacy legislation in addition to the EU regulation (2016/679) on the protection of natural persons with regard to the processing of personal data (GDPR) which also applies for EEA countries as Norway.