Data protection

Privacy Notice

 

This Privacy Notice (the “Notice”) has been prepared by Zurich Insurance Company Ltd, a company incorporated and existing under the laws of Switzerland, having its registered office at Mythenquai 2, 8002 Zürich, Swiss Confederation, registered in the Commercial Register of the Canton of Zurich, reg. no. (UID): CHE-105.833.114, operating on the territory of the Slovak Republic through Zurich Insurance Company Ltd, organizational unit, with its registered office at Mýtna 48, 811 07 Bratislava - Staré mesto, ID No.: 47 559 101, registered in the Business Register of District Court Bratislava I, Section: Po, File No.: 2345/B (the "Company") for the purpose of providing concise, transparent, comprehensible and easily accessible information regarding the processing of your personal data.

 

This Notice has been updated on 01.11.2023.

1. General Introduction

This Notice is issued in accordance with Articles 13 and 14 of GDPR, Sections 19 and 20 of the Act, and other generally applicable law.

Since the Company is the controller that processes your personal data through the web portal https://www.zurich.com for the processing purposes listed below, it provides you with all the necessary information regarding this processing.

At the same time, in connection with the processing of your personal data, the Company has designed and implemented standard and specific personal data protection measures, including appropriate technical and organisational measures, to ensure a high level of protection of your personal data.

If you have any questions about this Notice or the processing of your personal data or about exercising your rights under GDPR and the Act, you may contact the Company at any time in writing at: Zurich Insurance Company Ltd, Mythenquai 2, 8002 Zürich, Swiss Confederation, by email at ochranaosobnychudajov@zurich.com or by calling +421 917 471 866.

2. Definitions of Terms

Following the principles of transparency and clarity, the Company uses the following terms for the purposes of providing information herein:

  • You are the Data Subject if the Company processes your personal data in the manner set out herein;
  • GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
  • Portal is the web portal https://www.zurich.com, including all subdomains, subpages and components;
  • Act is Act No. 18/2018 Coll. on the Protection of Personal Data and on amendments of and supplements to certain acts, as amended.

3. Information on the Processing of Personal Data

The Company provides below an overview of the individual processing activities, as well as the personal data processed, the purpose of processing, the legal basis for processing, the retention period, and other information.

Personal data processed

Purpose of the processing of personal data

 Legal basis for the processing of personal data Retention period of personal data

Legal or contractual requirement and possible consequences of failure to provide personal data

Personal data necessary to ensure mutual communication, in particular name, surname, e-mail, telephone contact and the content of communication.

Such communication may be online (email, contact form, etc.) or by mail.

 Ensuring communication between the Company and the Data Subject.

Legitimate interest of the Company.

The legitimate interest of the Company is to ensure effective and trouble-free communication with the Data Subject.

 For a period of 3 years from the last communication between the Company and the Data Subject.

Voluntary provision of data.

The Data Subject may exercise his or her right to object to the processing of personal data (Art. 21 of GDPR and Sec. 27 of the Act).
Personal data necessary to register for a conference, seminar, other event or activity, in particular name, surname, e-mail and telephone number. Registration of the Data Subject for a conference, seminar, other event or activity organised or co-organised by the Company

Legitimate interest of the Company

The legitimate interest of the Company is to ensure the registration and subsequent attendance of the Data Subject at a conference, seminar, other event or activity.

 For a period of 3 years from the end of the conference, seminar, other event or activity.

Voluntary provision of data.

The Data Subject may exercise his or her right to object to the processing of personal data (Art. 21 of GDPR and Sec. 27 of the Act).

Personal data necessary to ensure the recruitment of potential employees, in particular name, surname, e-mail, telephone number, date of birth, permanent address and other personal data included in CV.

Furthermore, personal data in the extent of data captured on a video in cases where the course of the job interview will be captured on a video.

 Ensuring the recruitment process of Data Subjects (employees).

Necessity of the performance of the contract or the implementation of measures prior to the conclusion of the contract.

In this case, contract means an employment contract or an agreement on work performed outside the employment.

Consent of the Data Subject to the processing of his/her personal data is required before making a video recording of the course of the job interview. Consent may be withdrawn at any time.

Until the conclusion of the recruitment process of the Data Subjects (employee).

Personal data in the extent of data captured on a video for a period of 30 days from the date of creation of the video recording, or until the consent to the processing of personal data is withdrawn.

Voluntary provision of data.

In case of failure to provide the data, the Data Subject will not be able to participate in the recruitment process.

Failure to give consent will result in the Company automatically deleting the personal data of job applicants or not retaining the personal data of potential job applicants.

Personal data necessary for storing the information about unsuccessful job applicants or potential job applicants, in particular name, surname, e-mail, telephone number, date of birth, permanent address and other personal data included in CV. Storing of personal data of unsuccessful job applicants or potential job applicants for the purpose of contacting them in the future in the event of a new job position.

Consent of the Data Subject to the processing of his/her personal data.

Consent may be withdrawn at any time.

 For a period of 3 years from the date of consent or until the consent to the processing of personal data is withdrawn.

Voluntary provision of data.

Failure to give consent will result in the Company automatically deleting the personal data of job applicants or not retaining the personal data of potential job applicants.

Personal data necessary for the exercise of the Company's claims, in particular name, surname, permanent or temporary residence, type of claim.

The Company may pursue these claims both in and out of court.

Tieto nároky môže Spolocnost uplatnovat súdnou aj mimosúdnou cestou.

 Pursuing the Company's claims through courts, arbitration tribunals, bailiff's offices, law firms, notary offices, etc.

The Company's legal obligation to identify the Data Subject and the Company's entitlement when making claims.

This obligation results in particular from Act No. 160/2015 Coll., Act No. 233/1995 Coll., Act No. 40/1964 Coll., Act No. 513/1991 Coll.

Legitimate interest of the Company. In the absence of a legal obligation to process the Data Subject's personal data, the Company processes personal data on the basis of legitimate interest.

The Company's legitimate interest is to pursue claims.

 For the limitation or prescription period or until the proceedings are finally closed.

The Company processes the personal data of the Data Subject on the basis of its legal obligation.

Failure to provide personal data results in the Company being unable to fulfil its legal obligations and therefore its rights to pursue claims are limited.

The Company processes personal data on the basis of legitimate interests on the grounds that it has carried out a purpose compatibility test, whereby the original purpose for which it processed the personal data is compatible with the purpose of exercising the claims.

Personal data necessary to contact the other party, in particular name, surname, email, telephone number, job title and signature.

The Company processes the personal data of the Data Subject who acts as the other party or as a representative or contact person of the other party (e.g., statutory body, member of the statutory body, proxy, attorney, contact person, etc.)

 Establishing the contractual relationship, ensuring communication between the parties and proper performance of contractual obligations.

Legitimate interest of the Company.

The legitimate interest of the Company is to enter into the contractual relationship, to ensure the fulfilment of its contractual obligations arising from the contractual relationship in question and to ensure communication between the parties.

 For the limitation or prescription period applicable to the Company's claims arising from the contractual relationship.

Voluntary provision of data.

The Data Subject may exercise his or her right to object to the processing of personal data (Art. 21 of GDPR and Sec. 27 of the Act).

If the employer of the Data Subject provides his or her personal data within the contractual relationship, Sec. 78 (3) of the Act applies, pursuant to which the employer may provide such data.
Personal data necessary to promotion of the Company’s activities, services and products, in particular title, first name, surname, job title, e-mail address, telephone number, photo and audio-visual record. Promotion of activities, services and products.

Legitimate interest of the Company.

The legitimate interest of the Company is the promotion of the Company’s activities, services and product through the taking of photographs or audio-visual recordings that are accompanies by other personal data. These photographs and audio-visual recordings are primarily taken during conferences, seminars, other events and activities.

 For 3 years from the start of the processing of the personal data.

Voluntary provision of data.

The Data Subject may exercise his or her right to object to the processing of personal data (Art. 21 of GDPR and Sec. 27 of the Act).

 

4. Rights of Data Subjects

In connection with the processing of personal data, you, as a Data Subject, have the rights set out below, which you can exercise at any time in the form of a request to the Company. In such a case, the Company shall provide the Data Subject with information on the measures taken on the basis of his/her request without undue delay and at the latest within 1 month. The Company may extend this period by a further 2 months, in which case it shall inform the Data Subject of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

  • Right of access (Art. 15 of GDPR or Sec. 21 of the Act)

    The Data Subject has the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to such personal data. The Data Subject also has the right to be provided with all information within this Notice, and the Company will update this Notice periodically.

  • Right to rectification (Art. 16 of GDPR or Sec. 22 of the Act)

    The Data Subject has the right to obtain from the Company without undue delay the rectification of personal data concerning him or her. The Data Subject also has the right to have incomplete personal data completed.

  • Right to erasure/right to be forgotten (Art. 17 of GDPR or Sec. 23 of the Act)

    The Data Subject has the right to obtain from the Company the erasure of personal data concerning him or her without undue delay. However, the right to erasure is not absolute and it is necessary that at least one of the grounds under Art. 17 (1) of GDPR and Sec. 23 (2) of the Act applies; the Company is not obliged to erase such personal data in the cases referred to in Art. 17 (3) of GDPR and Sec. 23 (4) of the Act.

  • Right to restriction of processing (Art. 18 of GDPR or Sec. 24 of the Act)

    The Data Subject has the right to obtain from the Company restriction of processing of his or her personal data under the conditions set out in Art. 18 of GDPR and Sec. 24 of the Act.

  • Right to portability (Art. 20 of GDPR or Sec. 26 of the Act)

    The Data Subject has the right to receive the personal data which he or she has provided to the Company in a structured, commonly used and machine-readable format and has the right to transmit those personal data to another controller if he or she has provided his or her personal data on the basis of consent and such personal data are processed by the Company by automated means.

  • Right to object (Art. 21 of GDPR or Sec. 27 of the Act)

    The Data Subject has the right to object to the processing of personal data processed about him or her by the Company where such processing is carried out on the legal basis of the performance of a task carried out in the public interest or for legitimate purposes of the Company or third parties, including profiling based on these legal bases. The Data Subject also has the right to object to the processing of personal data about him or her by the Company for direct marketing purposes, including profiling.

  • Right in relation to automated individual decision-making, including profiling (Art. 22 of GDPR or Sec. 28 of the Act)

    The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

  • Right to initiate proceedings (Sec. 100 of the Act)

    The Data Subject has the right to file a petition for initiation of personal data protection proceedings under Sec. 100 of the Act with the supervisory authority if he or she believes that the Company processes his or her personal data in violation of GDPR or the Act.

    The Data Subject may file a petition to initiate proceedings with the Office for Personal Data Protection of the Slovak Republic, seated at Hranicná 12, 820 07 Bratislava. More information is available on the web portal of the Office for Personal Data Protection of the Slovak Republic.

  • Right to withdraw consent (Art. 7 of GDPR or Sec. 14 of the Act)

If personal data are processed on the legal basis of the Data Subject's consent, the Data Subject has the right to withdraw his or her consent at any time without affecting the lawfulness of processing based on consent given before its withdrawal.

You can withdraw your consent at any time by sending an email to: ochranaosobnychudajov@zurich.com

5. Sources of Obtaining Personal Data

The Company primarily obtains personal data directly from Data Subjects. In some cases, however, Data Subjects do not directly interact with the Company, in which case the Company obtains personal data from other sources, which are:

  • publicly available sources where the personal data of the Data Subject is included.
  • other person who provides the Company with personal data of the Data Subject - in such case, the person providing the data is obliged to have the consent of the Data Subject pursuant to Sec. 78 (6) of the Act.

6. Recipients of Personal Data

The Company may also disclose the personal data of Data Subjects to other natural or legal persons, public authorities, or international organisations.

The Company ensures the highest possible level of protection of personal data in the case of provision of personal data of Data Subjects, and in the case of provision of personal data to its processors or joint controller, it has a contractual relationship under Art. 26 or Art. 28 of GDPR, or Sec. 33 or Sec. 34 of the Act.

The Company provides personal data of Data Subjects to the following categories of recipients or public authorities:

  • controlling or controlled entities and other entities in the horizontal or vertical hierarchy of the Company's organisational structure, i.e. within the Zurich Group;
  • business partners of the Company;
  • legal, tax, accounting, IT and other advisors to the Company;
  • Slovenská pošta, a.s., courier and transport companies;
  • public authorities;

7. Retention Period of Personal Data

In addition to the retention period for individual personal data as set out in paragraph 3 hereof, the Company may also retain the personal data of Data Subjects for longer periods where it is necessary due to the legitimate interests of the Company or due to a change in its statutory obligations.

8. Transfer of Personal Data to Third Countries or International Organisations

The Company is incorporated and existing under the laws of the Swiss Confederation. The Swiss Confederation is considered a third country (a country outside the European Union or the European Economic Area) for the purposes of GDPR and the Act. Accordingly, the Company processes all personal data (also) in the territory of the third country, the Swiss Confederation, on the basis of an adequacy decision issued by the Commission, which is available here:

https://eur-lex.europa.eu/legal-content/SK/TXT/HTML/?uri=CELEX:32000D0518&from=EN.

The Company may transfer personal data of Data Subjects to other third countries or international organisations. In the event of any transfer of personal data to third countries or international organisations, the Company undertakes to ensure an adequate level of protection for the personal data of Data Subjects at all times.

The Company does not transfer personal data to other third countries or international organizations.

 

The Company does not transfer personal data to other third countries or international organizations.