Instructions regarding the rules to be followed for addressing an admissible petition in connection with the processing of personal data

1. PURPOSE

In order to help the data subjects who wish to address a petition related to the processing of personal data, OMNIASIG VIG, provides the following information document in which the procedural conditions regarding the addressing of an admissible petition are presented.

The rules described in this information document are an integral part of the set of organizational measures taken by OMNIASIG VIG to meet the legal requirements in force governing the protection of individuals with regards to the processing of personal data and the free movement of such data.

2. DEFINITIONS AND ABBREVIATIONS

2.1. Definitions (in alphabetical order)

  • Personal data (data) - any information about an identified or identifiable natural person (data subject). In accordance with the legal provisions, such data may be: name and surname, location data, domicile or residence address, e-mail address, telephone number, account number, image, voice, trade union membership, etc.
  • Personal data with general identification or applicability function - those numbers by which a natural person is identified in certain record systems and which have general applicability, such as: personal numerical code, series and number of the identity document, passport number, driving license number, social or health insurance number.
  • Genetic data - personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information on the physiology or health of that person and which result in particular from an analysis of a sample of biological material collected from the person in question.
  • Biometric data - personal data resulting from specific processing techniques related to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as voice, facial images or dactyloscopic data.
  • Health data - personal data related to the physical or mental health of an individual, including the provision of health care services, which disclose information about their state of health.
  • Representative of the petitioner - the person empowered by the petitioner to represent him in the relationship with OMNIASIG VIG, undertaking to act in the name and on behalf of the principal.
  • Operator - natural or legal person, public authority, agency or other body which, alone or together with others, establishes the purposes and means of processing personal data; where the purposes and means of processing are established by Union or national law, the controller or the specific criteria for its designation may be laid down in the Union or in the national law.
  • Third party - a natural or legal person, public authority, agency or body other than the data subject, the controller, the person authorized by the controller and persons who, under the direct authority of the controller or the persona uthorized by the controller, are authorized to process personal data.
  • Person authorized to process data (authorized person) - the operator or the authorized person or the persons who, under the direct authority of the controller or the authorized person, are authorized to process data.
  • Person authorized by the operator (authorized person) - natural or legal person, public authority, agency or other body that processes personal data on behalf of the operator.
  • Data subject - an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an identification number, location data, an online identifier, or one or more many specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity. Within OMNIASIG the following categories of data can be processed, without being limited to them:
  1. Clients / potential clients / insured persons/ contractors, beneficiaries of insurance (former damaged clients / third parties, etc.) - for the data processed in order to provide insurance services;
  2. OMNIASIG employees and collaborators (including natural persons working under OMNIASIG under a staff lease agreement) / their family members - for data processed for human resources purposes and/or conflict of interest management according to ASF rules or other applicable regulations.
  3. Clients / potential clients / visitors / employees - for the data processed in order to monitor / ensure the security of the persons, spaces and/or public/private goods;
  4. Natural persons, representatives of the legal entities with which OMNIASIG comes into contact as a client or for the purpose of concluding future partnerships, conventions, contracts.
  • Petition - the request, complaint, notification or proposal made in writing (in letters or electronic format), through which a petitioner expresses his opinion on the activity of processing his personal data carried out by OMNIASIG VIG and/or OMNIASIG VIG’s authorized persons.
  • Petitioner - the identified data subject who considers that the processing of his personal data, as carried out by OMNIASIG VIG and/or by OMNIASIG VIG’s authorized persons violates the legal provisions in force in the field of personal data processing.
  • Processing of personal data (processing) - any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means, such as collection, registration, organization, structuring, storage, adapting or modifying, extracting, consulting, using, disclosing by transmitting, disseminating or otherwise making it available, aligning or combining, restricting, deleting or destroying.
  • Processing of special categories of personal data- the processing of personal data revealing racial or ethnic origin, political opinions, religious denominations or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, health data or data regarding the sexual life or sexual orientation of an individual.
  • Correspondence register regarding data protection - the register in electronic format organized in OMNIASIG VIG, in which the petitions (complaints, grievances, notifications, requests, proposals) regarding aspects related to data processing are recorded chronologically, in the order of receipt; numbering starts at 1 at the beginning of each calendar year.
  • Representative of the petitioner - the person authorized by the petitioner to represent him, to act on behalf of the petitioner in order to defend his interests in the relationship with OMNIASIG VIG.
  • Person in charge with the protection of personal data (DPO) - the key person in the legal context of Regulation (EU) 2016/679, the role of whom- at company level - is:
  1. monitoring the compliance with regulations, other provisions of the Union or national law concerning the protection of data and the guidelines /  policies of the controller or of the person authorized by the controller with regards to the protection of personal data,
  2. proposing the allocation of responsibilities and carrying out awareness-raising and training actions for the personnel involved in the processing operations, as well as the related audits.

2.2. Abbreviations (in alphabetical order)

  • ANSPDCP - National Authority for the Supervision of Personal Data Processing
  • CNP - personal numerical code
  • CUI - unique tax identification code
  • DPO – person in charge with the protection of personal data
  • GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th of April 2016 on the protection of individuals with regards to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
  • OMNIASIG VIG - OMNIASIG VIENNA INSURANCE GROUP SA

3. DESCRIPTION OF THE RULES

3.1. Addressing petitions

Petitions may be addressed by any identified data subject who considers that:

  • the processing of his personal data, as carried out by OMNIASIG VIG and/or by OMNIASIG VIG’s authorized persons, violates the legal provisions in force in the field of personal data processing;
  • they wishe to request/notify other aspects related to the processing of personal data.

Petitions addressed to OMNIASIG VIG must be formulated in writing, in compliance with the legal regulations in the field.

The ways to address petitions are as follows:

  1. Electronic:
  1. through the company's website www.omniasig.ro - “Data protection section https://www.omniasig.ro/protectia-datelor;
  2. by e-mail to dpo@omniasig.ro
  1. In letter format (on paper):
  1. through postal and/or courier services;
  2. at the company's headquarters: the headquarters, the headquarters of OMNIASIG VIG branches, agencies, offices.

Details regarding the OMNIASIG VIG headquarters are available on the OMNIASIG VIG website and can be accessed at the following link: https://www.omniasig.ro/Retea.html 

In the case of complaints received by means other than those mentioned above, in this paragraph, they will be considered admissible only if they meet the criteria set out in this information document. 

In addition to the online form available on the company's website, OMNIASIG VIG provides a petition form that can be downloaded and saved from the website www.omniasig.ro, following the path:

https://www.omniasig.ro/protectia-datelor.

MENTION 1: There shall NOT be registered: 

  • petitions received verbally by telephone or in face-to-face discussions;
  • petitions not related to the activity of OMNIASIG VIG;
  • anonymous petitions;
  • petitions in which the identification data of the petitioner are not entered and there is no information on the basis of which the petitioner can be contacted directly and/or through a representative/agent.  

3.2. Ways to address petitions

The ways to address petitions are as follows:

  1. personally by the petitioner - the data subject;
  2. through the representative of the data subject, by attaching the power of attorney issued under the conditions of the law by a lawyer or of the notarial power of attorney, as the case may be;
  3. through the agent of the data subject who is the spouse or relative up to and including the second degree; in the case of spouses or relatives up to and including the second degree, a declaration on their own responsibility signed by the petitioner shall be attached, and in the case of other persons, a notarial power of attorney shall be attached.

3.3. Conditions for the admissibility of petitions related to the processing of personal data

If the petition is filed through a non-profit body, organization, association or foundation, they must prove that:

  • were legally constituted, with a statute that provides objectives of public interest and
  • are active in the field of protection of the rights and freedoms of data subjects with regards to the protection of their personal data. In this case, the petition shall be accompanied by the power of attorney or notarial power of attorney, as the case may be, showing the limits of the mandate granted by the data subject, the status of the body/organization/association/foundation, and evidence of their activity in the field of rights protection and the freedoms of data subjects with regards to the protection of their personal data.

The general conditions for a petition to be considered admissible are as follows:

  1. Providing the identification data of the petitioner: name, surname, postal address of the domicile or residence (country, locality, county, sector, street, number, block, entrance, apartment).

MENTION 2: 

If the petitioner is contacted (they provided a valid landline or mobile phone number) and confirms (by phone, by e-mail, correspondence in letter format) that they initiated the petition (and implicitly its content) and in addition, the identification data of the petitioner are available in his application and/or in various documents issued by the state authorities (documents attached to the petition), it is no longer required to send a copy of the petitioner's identity card.

  1. E-mail address, if the petition is submitted electronically, and if the response to the petition is requested by e-mail.
  2. Providing the data of the representative: name and surname/designation, domicile address/address of residence / headquarters / correspondence address (if different from domicile / address of residence / headquarters), e-mail address, telephone number, registration number with the register of associations and foundations, if applicable.
  3. Holographic signature for petitions addressed in letter format.
  4. Attaching the power of attorney issued under the law by a lawyer or of the notarial power of attorney, as the case may be, in the case of petitions addressed by a representative/agent.
  5. Attaching the declaration on one's own responsibility with the petitioner's handwritten signature, if the petitioner's representative is a spouse or relative up to and including the second degree.

MENTION 3: 

If the petitioner chooses to address the petition through a representative (husband or relative up to the second degree) on the basis of a statement on his own responsibility, the power of attorney issued by the lawyer or notary power of attorney is no longer necessary.

  1. Confirmation of the correctness of the data transmitted electronically, both in the case of petitions sent directly by the petitioner and in the case of petitions addressed by the representative on the basis of a statement on his own responsibility, if the investigation of the case shows that this confirmation is necessary to protect the data subject the personal data of whom are the subject of the petition.
  2. Confirmation of the correctness of the data transmitted in letter format, if, for the petitions addressed by the representative on the basis of a declaration on his own responsibility, this is requested by OMNIASIG VIG.
  3. Detailed specification of the object of the petition.

MENTION 4: 

Petitions received through the module “Data protection” on the site www.omniasig.ro, which in the “Description of the situation” field do not contain any request, complaint, notification or proposal are considered petitions without content and do not meet the criteria of an admissible petition.

  1. In the case of petitions aimed at violating the right to privacy, family and private life in the field of electronic communications and electronic commerce, in addition to the data provided above (in this paragraph), it is mandatory to mention the telephone or fax number(s), e-mail address/addresses or IP address(es) related to the subject of the petition, as appropriate.
  2. In the case of petitions aimed at violating the right to privacy, family and private life by sending unsolicited commercial communications, through electronic communications services for OMNIASIG VIG policyholders / customers / partners, it is mandatory to attach the original messages received by the petitioner in a way that allows the identification of the sender of the said communication, messages that must be preserved, as much as possible, in the electronic system used by the petitioner.
  3. If the object of the petition is related to the data processing activity performed by a representative of OMNIASIG VIG, for the petitioner's data processed on behalf of the operator, it is mandatory that the petition contains the identification data of the defendant authorized person, such as: name and surname/designation, address/headquarters, or at least the available information held by the petitioner, in order to identify him.
  4. In the case of petitions aimed at preventing the issuance of RCA policies for an alienated vehicle (and not registered by the buyer), with the data of the deceased seller (natural person), the following information / documents are required:
  • Copy of death certificate;
  • Request made in writing (by e-mail or signed document) by one of the family members of the deceased person (spouse or relative up to the second degree) or by another natural or legal person, in which to communicate: his identification data (according to the above presented in this paragraph 3.3 Error! Reference source not found); his quality of person entitled to formulate the petition related to the deceased person; the actual request to stop the processing of the data of the deceased person for the issuance of RCA policies.
  1. The presentation of the heir quality certificate or the heir certificate is necessary in the case of petitions regarding the data of a deceased person (other than petitions aimed at preventing the issuance of RCA policies for an alienated vehicle, with the data of the deceased seller), in addition to the copy of the death certificate and the request made in writing (by e-mail or signed document) by the petitioner.

3.4. Registration of petitions related to the processing of personal data

Petitions are registered in the correspondence register regarding data protection, receiving a number and a date.

If a petitioner addresses several petitions, notifying the same issue/case or issues/cases closely related to each other (the settlement of which is dependent), they will be connected to the registration number of the initial petition, the petitioner will receive, from OMNIASIG VIG, a single answer that must refer to all the received petitions.

If OMNIASIG VIG receives petitions from the same petitioner in several ways (for example: ANSPDCP, representative, agent, direct, etc.), by which it notifies the same aspects/cases and/or with similar content but with reference to the same aspects/case, they will be connected to the registration number of the initial petition, and each addressee will receive a separate answer, elaborated according to the meeting of the conditions of admissibility of the petition and in accordance with the position of the petitioner.

3.5. Classification of petitions related to the processing of personal data

The classification of petitions related to data protection is carried out according to the rules presented in this paragraph.

  1. “Finished”status

This status can be assigned to petitions as follows:

  1. If the resolution of the issues/instrumentation of the cases presented in the petition has been completed and the data subject has been notified, in writing, regarding this issue;
  2. If the resolution of the issues/instrumentation of the cases presented in the petition is NOT possible (totally or partially) due to the lack of information/documents (the petition was previously classified as an inadmissible petition) and the data subject was notified, in writing, on this issue

If, after the reply to a petition is sent, a new petition is received from the same petitioner, with the same content and/or similar content but with reference to the same issues/cases, shall be connected to the initial number and shall be classified with “finished” status, the initial number mentioning that the petitioner was answered.

In the case of a petition filed as a result of a repetition of a previous petition, the petitioner is informed in writing of the following:

  1. the fact that the petition is a reiteration of the initial petition; specify the number and date of the initial petition and - if applicable - those of related petitions received from the same sender (without reference to related petitions received from other senders);
  2. the result of the investigation carried out following the registration of the initial petition;
  3. the fact that at any other reiteration in which the same aspect/case or aspects/cases will be presented in close connection with those in the initial petition will be filed by OMNIASIG VIG, without the communication of another answer.
  1. “In progress” status

This status can be assigned to petitions during the period in which the necessary actions are taken to resolve the issues/instrumentation of the cases presented in the petition, if the necessary information/documents are available.

MENTION 5: Petitions aimed at not processing the data of a deceased person, for the issuance of RCA policies (for an alienated vehicle and not registered by the buyer), the necessary blocking actions are performed, in the consent register, based on the death certificate, even if the petitioner's request does not meet all the criteria for an admissible petition.

For any other type of request that refers to the data of a deceased person, it is necessary to present the heir quality certificate or the heir certificate.

MENTION 6: Petitions received from insurance intermediaries - exercising the right to oppose the blocking of the issuance of an RCA policy (for an alienated vehicle and unregistered by the buyer) - containing the request of the data subject (the seller of the vehicle) as a signed document in e-mail attachments), can be considered and treated as admissible petitions.

  1.  “inadmissible” status

The petitions that fall into this category are the following petitions for which the other conditions of admissibility are not met, as they are described in this information document, although the necessary diligence has been carried out to obtain the missing/incomplete elements, where possible.

In the case of petitions classified as “inadmissible”, the petitioners are informed in writing about the need to comply with the conditions for admitting the petition.

3.6. Categories of petitions related to the processing of personal data

The categories of petitions that can be addressed by the persons concerned as petitioners (directly or through a representative / agent) are the following:

  1. The request for the exercise of rights is the petition by which the data subject requests the enforcement of one or more rights, as they are defined by the GDPR and all the legislation in force in the field of data protection.
  2. Complaint is the petition by which the data subject informs about their dissatisfaction regarding the activity of processing their personal data carried out by OMNIASIG VIG.
  3. Proposal/notification is the petition by which the petitioner presents OMNIASIG VIG ideas, suggestions, recommendations/informs us about a situation/state of affairs in connection with the processing of personal data, without any damage to any data at the time of submission of the petition.

3.7. Solving petitions related to the processing of personal data

DPO acts as a contact point in the relations between the data subjects and OMNIASIG VIG, whose contact data are published on the website www.omniasig.ro

If necessary and possible, the petitioner is requested to provide the missing/incomplete information, information without which the petition cannot be considered admissible (according to the rules described in this information document).

In order to provide all the information requested by the OMNIASIG VIG representative, it makes available to the petitioner / representative / authorized person of the petitioner the petition form which can be downloaded and saved from the website www.omniasig.ro, following the path: https://www.omniasig.ro/protectia-datelor.

If necessary, the petitioner is requested to confirm in whole or in part the information communicated through the petitions (both for those addressed electronically and for those addressed by letter) in all cases where:

  1. an inadvertence is identified between the information communicated by the petition and the information already held by OMNIASIG VIG (example: the petitioner declares, in the petition, a different e-mail address than the one communicated at the conclusion of the insurance contract; the surname is different, although the CNP is identical);
  2. the information received is not legible (eg. documents attached in copy);
  3. the information is not complete;
  4. any other situation in which not requesting confirmation may lead to the situation in which the petitioner is affected.

The answer to the petition is prepared, to:

  1. ANSPDCP  - if the petition was received from ANSPDCP;
  2. petitioner - in the following cases:
  • the petition was received from the petitioner (data subject);
  • the petition was received from ANSPDCP, but there is a request specifically mentioned by ANSPDCP in this regard;
  • the petition was received from a representative / agent, but there is a request expressly mentioned in the documentation submitted by the petitioner's representative / agent in this regard;
  1. representative / agent- if the petition has been received from the petitioner, but there is a request expressly mentioned in the documentation submitted by the petitioner's representative / agent in this regard.

The answer to the petition is sent as follows:

  1. by e-mail as a message in the body of the e-mail: if the company has information regarding a correct and valid e-mail address of the data subject and if there is no other specification from the petitioner / representative / agent of the petitioner and/or from ANSPDCP regarding the way of transmitting the answer;
  2. by e-mail as a document inserted in the e-mail attachment: if the company has information on a correct and valid e-mail address of the data subject and if there is such a statement communicated by the petitioner / representative / agent of the petitioner and/or from ANSPDCP regarding the way of transmitting the answer;
  3. fax;
  4. by courier/mail, with acknowledgment of receipt: if the company does not have information regarding a correct and valid e-mail address of the petitioner and the petitioner / representative / agent of the petitioner and/or ANSPDCP expressly requests this method of communication the answer.

3.8. Deadline for responding to petitions

According to the legal regulations in force in the field of petitions, the deadline for responding to such documents is a maximum of 30 calendar days from the date of receipt of the petition.

The date of receipt of the petition is the date of entry of the document into OMNIASIG VIG, regardless of whether the petition is submitted:

  • in electronic format or in letter format (on paper);
  • on a working or non-working day.

In the case of petitions for which it is necessary to request information - information without which the petitions cannot be considered admissible and cannot be processed - a new period of 30 days runs from the date on which the requested information is complete.

In the case of a petition made under Articles 15 to 22 of the GDPR, namely the exercise of rights, when - due to the complexity of the actions to be taken - the resolution of the requirements expressed in the petition requires more than one month, the petitioner is informed in writing within 30 days from the date of receipt of the petition, regarding the possibility of extending the term of communication of the response to the petition, as well presenting the reasons for the delay.

The extension period must be within a maximum of three months from the date of:

  • receipt of the petition - in the case of petitions which may be considered admissible without it being necessary to request the petitioner to provide additional information;
  • receiving the last information requested from the petitioner - in the case of petitions that cannot be considered admissible without receiving additional information from the petitioner, so that the data are complete.

Removing processing restrictions activated by petitions

The petition regarding the temporary or permanent removal of a restriction on data processing may be made only on the basis of a written request of the data subject whose personal data have been subject to the restriction or their authorized person. It follows all the rules described in this document.