1. Responsibility for the processing of personal data.
1.1 The implementation of personal data protection tasks at Leadenhall is supervised by the Management Board.
1.2 Leadenhall has appointed a Data Protection Officer, to whom certain activities in the field of personal data protection have been delegated. Contact with the Personal Data Protection Officer at Leadenhall is possible at daneosobowe@leadenhall.pl
1.3 The Management Board and all employees and third parties who, in the performance of their duties on behalf of Leadenhall, are involved in the processing of personal data are responsible for the application of this Policy.
2. Purposes and principles of personal data processing.
2.1 Leadenhall processes personal data for purposes related to the subject of its statutory activities, in particular personal data of persons applying to conclude an insurance contract through Leadenhall, policyholders, insured persons, beneficiaries, persons seeking claims under insurance contracts concluded through Leadenhall, as well as employees, job applicants and other third parties in order to fulfill obligations arising from generally applicable laws.
2.2 This Policy applies to all personal data processed at Leadenhall, whether via IT systems or on paper, through other media or orally.
2.3 Leadenhall processes personal data in accordance with the following principles resulting from generally applicable laws and Leadenhall's internal regulations (including this Policy):
2.3.1 lawfulness, fairness and transparency (the processing of personal data must have the legal basis; it must respect the interests and rights of data subjects; it must be transparent to data subjects);
2.3.2 limitation of the purpose of processing (the purpose of processing personal data must be specific, explicit and legally justified, and personal data may not be processed incompatible with this purpose);
2.3.3 minimizing the processing of personal data (the scope of data should be appropriate and necessary for the established purposes of processing);
2.3.4 correctness of personal data (processed data should be true, complete and up-to-date) while maintaining:
- limiting the processing period to the necessary minimum,
- integrity, confidentiality and availability (i.e. data are processed in a way that ensures their security, including protection against unauthorized or unlawful access, processing, accidental loss, destruction or damage);
- responsibility for processing (Leadenhall is obliged to demonstrate that personal data are processed in accordance with the principles indicated above).
3. Obligations of persons having access to personal data.
3.1 The Management Board and all employees and third parties who, in the performance of their duties on behalf of Leadenhall, have access to personal data processed at Leadenhall are obliged to:
3.1.1 comply with legal provisions and internal procedures governing the principles of personal data protection adopted at Leadenhall,
3.1.2 take part in training provided by Leadenhall regarding personal data protection and cybersecurity,
3.1.3 include in all planned and implemented business processes the principles of privacy by design, privacy by default and conclusions from the Privacy Impact Assessment (PIA), i.e. assessment of the impact on data privacy protection at Leadenhall,
3.1.4 keep the processed personal data confidential for an indefinite period of time,3.1.5 report to the Management Board of Leadenhall any doubts regarding the correctness of personal data processing,
3.1.6 provide, at the request of the Management Board of Leadenhall, information regarding the processing of personal data at Leadenhall;
3.1.7 supervise subordinate employees and third parties in the performance of the duties described in this Policy,
3.1.8 comply with the security requirements applicable to the use of the Leadenhall trading system and other IT systems in which personal data are processed.
4. Exercise of the rights of data subjects.
4.1 Leadenhall ensures and implements the rights of personal data subjects, i.e.:
4.1.1 the right to information and obtain confirmation of the processing of personal data by the administrator and the right to access these personal data,
4.1.2 the right to withdraw consent to processing,
4.1.3 the right to rectify/supplement personal data,
4.1.4 the right to delete personal data (“right to be forgotten”),
4.1.5 the right to restrict processing,
4.1.6 the right to transfer data,
4.1.7 the right to object to the processing of personal data,
4.1.8 the right not to be subject to decisions made under automated processing of personal data, including profiling.
4.2 The handling of requests from data subjects is provided by the Management Board of Leadenhall or persons authorized by the Management Board, in accordance with the instructions for handling requests from data subjects applicable at Leadenhall.
5. Implementing regulations regarding the processing of personal data.
5.1 The Management Board of Leadenhall implements detailed implementing regulations regarding the processing of personal data, including:
- personal data storage (retention) policy,
- rules for conducting a data protection impact assessment (PIA assessment),
- instructions on how to proceed in the event of personal data protection breaches,
- instructions for dealing with requests from data subjects,
- register of personal data processing activities in Leadenhall as an administrator (also containing a register of personal data processing contracts).
5.2 The Management Board of Leadenhall is responsible for the implementing regulations and documentation regarding the processing of personal data, including the information contained in the register of personal data processing activities.
5.3 Regulations relating to the processing of personal data are reviewed by an authorized person by the Management Board of Leadenhall at least once a year.
6. Sharing personal data.
6.1 The decision to disclose personal data processed by Leadenhall is made by the Management Board of Leadenhall or a person authorized by the Management Board.
6.2 Sharing personal data with a third country is possible only on the terms specified in applicable law, in particular Art. 44 et seq. GDPR.
7. Entrusting personal data.
7.1 Leadenhall, as an administrator, may entrust another entity (processor) with the processing of personal data on behalf of Leadenhall only on the basis of a documented contract concluded with that entity.
7.2 Leadenhall, as a processor, may entrust personal data to another entity only for the purposes and on the terms specified in the agreement between the administrator and Leadenhall, acting as a processor.
7.3 The contract for entrusting the processing of personal data, in which Leadenhall acts as a data controller or processor (processor), must meet the requirements of Art. 28 GDPR and is subject to the prior consent of the Leadenhall Board of Directors.
7.4 Entrusting the processing of personal data, the administrator of which is Leadenhall, is recorded in the register of personal data processing by a person authorized by the Management Board.
8. Managing access to personal data.
8.1 Processing of personal data may only be carried out by persons authorized by Leadenhall.
8.2 The authorization to process personal data is included in the employment contract, management contract, mandate contract, or other type of cooperation agreement concluded directly between Leadenhall and the employee/third party.
8.3 The conditions of access for employees or third parties authorized to process personal data for which Leadenhall is the controller may be specified in the personal data processing agreement concluded by Leadenhall with the Processor.
8.3 The conditions of access for employees or third parties authorized to process personal data for which Leadenhall is a processor or sub-processor are specified in the agreement on entrusting or sub-entrusting the processing of personal data concluded by the controller or processor with Leadenhall.
8.4. Employees or third parties authorized by Leadenhall to process personal data are obliged to:
8.4.1. undergo training on the principles of personal data protection and sign a declaration constituting an element of the employment relationship that they are familiar with the laws and regulations of Leadenhall regarding the protection of personal data,
8.4.2, as part of an employment relationship or other legal relationship, make an obligation to keep the processed personal data and the methods of securing it confidential for an indefinite period of time,
8.4.3. in the event of a change in the scope of tasks or place of performance of duties at Leadenhall resulting in no need to process personal data or termination of the employment contract with the employee or other contract with a third party constituting the basis for processing, the employee or other person is obliged to return the documentation or other media containing personal data processed in on behalf of Leadenhall.
8.5 The person authorized by the Management Board keeps records of persons authorized to process personal data on behalf of Leadenhall.
9. Procedure in the event of personal data protection breaches.
9.1 Anyone who has received information about a suspected violation of the protection of personal data processed by Leadenhall, including an attempt to violate the physical protection measures used or logical access to these data, is obliged to report the violation to the Management Board of Leadenhall immediately after obtaining such information.
9.2 Reported personal data breaches are investigated in accordance with Leadenhall's personal data breach manual.
10. Audit of legal compliance of personal data processing.
10.1 The audit of compliance with the law of personal data processing at Leadenhall covers all organizational units of Leadenhall in which personal data are processed and the processing entities to which Leadenhall has entrusted personal data for processing.
10.2. An audit of compliance of personal data processing with the provisions on the protection of personal data is carried out in one of the following modes:
10.2.1 planned audit – in accordance with the audit plan approved by the Leadenhall Management Board, in accordance with ISO/IEC 9001 and 27001:2013 standards,
10.2.2 ad hoc audits – carried out in the event of a breach of personal data protection at Leadenhall or a reasonable suspicion of such a breach.10.3 The audit is carried out by a person or entity designated by the Management Board of Leadenhall. A report is prepared from the audit and presented to the Management Board.10.4 An audit of compliance of personal data processing with the provisions on the protection of personal data may also be carried out at Leadenhall by PUODO (i.e. persons authorized by the President of the Office for Personal Data Protection). The PUODO audit procedure is determined by generally applicable provisions of law.
Leadenhall Insurance S.A.
Domaniewska 4202-674, Warsaw
NIP: 521-31-76-978REGON: KRS 0000073606
Last updated on May 14, 2024