Pursuant to the provisions of:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”);
- Law no. 190/2018 on measures for the implementation of the GDPR in Romania;
- Law no. 365/2002 on electronic commerce, as amended;
- Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector; and
- Any other applicable Romanian and EU legislation on personal data protection and insurance and financial services.
Stein Bestasig Insurance Broker SRL (hereinafter “Stein Bestasig” or “the Company”) has prepared this privacy policy with the intention of informing you that your personal data will be processed in the sense provided, inter alia, in Article 4.2 of the aforementioned GDPR. Data processing is understood to mean any operation or set of operations performed on personal data or sets of personal data, whether or not by automated procedures, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, matching or interconnection, restriction, erasure or destruction.
Likewise, the Company will update the privacy policy on this website in accordance with legal and jurisprudential developments in this area, including any changes in Romanian or EU data protection law.
Responsible for data processing and contact details
The person responsible for the processing of your data is Stein Bestasig, [registration number 15689087], with registered office at 4-6 Profesor Ion Bogdan street, ground floor, 1st district, Bucharest, 010539 , Romania; a company that is part of PIB Group Limited, registered in England and Wales, with nº 09900466, and registered office at Rossington’s Business Park, West Carr Road, Retford, Nottinghamshire, DN22 7SW.
In order to preserve the privacy of your personal data and to ensure their proper processing, the Company has appointed a Data Protection Officer, whose responsibility is to supervise the implementation of personal data protection policies. For the above, you can contact the Customer Service / Data Protection contact of the responsible through the following e‑mail address: [email protected] whenever your query is related to the privacy in the processing of your personal data.
Where services are offered to, or monitoring relates to, individuals located in Romania, the Company will also ensure that any processing complies with applicable Romanian data protection law, including Law no. 190/2018, and you may exercise your rights as set out below.
Purposes and legitimate grounds for the processing of personal data
In accordance with the GDPR and applicable Romanian data protection law (including Law no. 190/2018), we inform you that your personal data will be processed by Stein Bestasig in its capacity as Data Controller.
| PURPOSES OF THE TREATMENT | LEGITIMATE BASES OF THE TREATMENT |
| Complete execution of the insurance contract and the insurance intermediation contract, maintenance of the relationship established between PIB Group Iberia and you, advice and information on the conditions of insurance contracts and financial products and assistance in case of a claim. | The execution of the contract to which you are a party. |
| Recording of your voice when necessary for:
1. The correct execution of the contract, Maintain the quality of service. 3. Fraud prevention, investigation and detection. |
The legitimizing bases for the purposes described above are:
1. The performance of the contract to which you are a party, 2. The legitimate interest of the Data Controller to maintain and guarantee the quality of the service. 3. The fulfillment of legal obligations of the Brokerage, in accordance with the regulations in force and applicable at all times. |
| Prevention, investigation and discovery of fraud and obtaining and communicating information to the competent regulatory authorities in those cases legally established. | The fulfillment of legal obligations of the Brokerage, in accordance with the regulations in force and applicable at all times. |
| Sending commercial communications by any means, including electronic communications or equivalent, about insurance and/or financial products brokered by Stein Bestasig | The legitimate interest of the Data Controller to promote the contracting of products similar to those that may be contracted at the time. We remind you of your possibility to oppose to the present data processing. |
| Elaboration of profiles with personal data of the interested parties for the sending of commercial communications personalized to the characteristics, preferences, needs and tendencies of the interested party. | The express consent of the interested party. |
| Sending customer satisfaction surveys on services offered by the Brokerage. | The legitimate interest of the Brokerage to know the satisfaction of customers in relation to the services provided by the same, and in order to improve it. |
| Sending of commercial communications, by any means, by any of the companies of PIB Group. | The express consent of the interested party. |
| Communication of the data subject’s personal data to companies that are part of PIB Group, for internal administrative purposes, including the processing of personal data of customers and employees. | The legitimate interest of the Data Controller for internal administrative purposes. We remind you of your right to object to this data processing. |
| Communication of your data to collaborating companies of Stein Bestasig (such as insurance companies), in the event that you, as a Client of the Data Controller, contract any of the products and/or services that are marketed by Stein Bestasig. | The correct execution of the contract. |
Failure to provide the required information will result in the impossibility of signing and fulfilling the contract. If you provide us with data of third parties, you must, prior to its communication to the brokerage, ensure that you have complied with the obligations in force regarding data protection at all times, including providing them with this information notice where appropriate.
We have obtained the personal data from you (or from the policyholder) and the category of data to which they belong are: identification and contact data; voice, bank details; health data (if necessary) and any data necessary for the assessment of the insurable risk, as well as for the achievement of the purposes indicated above.
Where health data or other special categories of personal data within the meaning of Article 9 GDPR, or data relating to criminal convictions and offences within the meaning of Article 10 GDPR, are processed, this will be done only where a specific legal basis exists under EU and Romanian law (for example, explicit consent, substantial public interest, legal claims, or other applicable grounds).
Transfer of personal data
In order to ensure the full development of the insurance contract and compliance with legal obligations, Stein Bestasig may transfer your personal data to the insurer selected by you. It may also transfer them to entities, organisations or persons authorised for the resolution and processing of claims; to entities involved in the coverage of your policy (legal and health services); and to courts, tribunals or public administrations where required by applicable law (including the competent Romanian or other EU/EEA authorities where relevant).
Likewise, the Company may communicate your personal data to companies that are part of PIB Group (including other group entities in Romania), for internal administrative purposes, including the processing of personal data of customers and employees, in order to internally manage the service provided and the maintenance of the contractual relationship. This transfer is covered by the legitimate interest under the provisions of Recital 48 of the GDPR, so it will not be necessary to obtain your express consent for this operation. We remind you of your possibility to object to this data processing.
International data transfers
Stein Bestasig, as part of the PIB Group Limited group of companies, is an organisation operating in different countries and may transfer certain personal information about you internationally for the sole purpose of performing the contract entered into. In particular, Stein Bestasig may make such transfers to administer and manage the services provided to you and to improve the efficiency of business operations. The Company will take appropriate steps to ensure that transfers comply with all applicable data protection regulations, including Chapter V of the GDPR and the relevant provisions of Romanian law.
In the case of transferring personal data to countries outside the European Economic Area for the fulfilment of the purposes of the processing, such transfers will preferably be made both to countries that the European Commission considers to offer adequate data protection safeguards (“transfers based on an adequacy decision”). In particular, your data may be transferred to the USA and the UK, territories where the funds controlling PIB Group Limited and the Lexis Nexis platform, which we use to verify data for fraud prevention and money‑laundering prevention purposes, are based. In this regard, we inform you that both territories benefit from an adequacy decision from the European Commission (for the USA, for entities participating in the EU‑US Data Privacy Framework, and for the UK).
On other occasions, when your data is transferred to territories without an adequacy decision or to entities not adhering to the EU‑US Data Privacy Framework, we will adopt adequate safeguards (“transfers based on the provision of adequate safeguards”), in particular by entering into standard contractual clauses, in accordance with Article 46 of the GDPR.
In cases where there is no adequacy decision or no adequate safeguards are provided, in accordance with Article 49 of the GDPR, we may transfer your personal data to a third country or international organisation when: (i) we have your explicit consent to the proposed transfer; (ii) the transfer is necessary for the performance of the contract we have in force with you or for the performance of pre‑contractual measures you have requested from us; (iii) the transfer is necessary for the conclusion or performance of a contract between Stein Bestasig and another natural or legal person, in your interest; (iv) the transfer is necessary for important reasons of public interest recognised in EU or Romanian law or for the protection of your vital interests, or those of other persons, where you are physically or legally incapable of giving consent; or (v) the transfer is necessary for the establishment, exercise or defence of legal claims; or (vi) we are faced with situations where the transfer is made from a public register which, under Union or Member State law, is intended to provide information to the public and is open to inspection by the general public or by any person who can demonstrate a legitimate interest, provided that the conditions set out in Union or Member State law for inspection are met.
If you would like more information about the processing of your personal data, please contact us at [email protected].
Retention, cancellation and deletion of personal data
We inform you that the personal data provided by you will be kept as long as the indicated purpose subsists and until the expiration of the statute of limitations of the actions that may arise from the fulfilment of the insurance contract, once it has expired for any reason and/or closure of open claims, being blocked when they are no longer relevant for the fulfilment of that purpose, in accordance with GDPR and applicable Romanian limitation periods and retention obligations (for example, those arising from insurance, commercial, tax and anti‑money‑laundering legislation).
We remind you that you have the right to obtain confirmation as to whether we process your personal data.
When the deletion derives from the exercise of the right to object as provided for in Article 21(2) of the GDPR, the Data Controller may retain the data subject’s identification data in order to prevent future processing for direct marketing purposes, in accordance with applicable Romanian law.
Due diligence in the management of personal data
The Company complies with the legal security measures for the protection of personal data and has adopted all reasonably required measures in accordance with current technical knowledge to prevent the loss, misuse, alteration, illegitimate intrusion and theft of the personal data provided. In any case, you should be aware that the Internet is not a totally secure and/or impregnable medium.
Rights you may exercise in relation to the processing of your personal data
You have the right to withdraw your consent at any time, provided that the processing is not necessary for the performance of the insurance contract or for compliance with a legal obligation. However, the withdrawal of such consent does not affect the lawfulness of the processing based on consent before its withdrawal.
You may exercise the following data protection rights under the GDPR and Romanian data protection law:
- Access: the right to contact the data controller to find out whether or not it is processing your personal data and to obtain information about it.
- Rectification: the right to obtain the rectification of your personal data that is inaccurate or incomplete.
- Deletion or “to be forgotten”: data subjects may request that the Company deletes their personal data when: (i) the personal data is no longer necessary in relation to the purposes for which it was originally collected; (ii) when you withdraw your consent (if the data processing is based on consent); (iii) you have successfully exercised your right to object; (iv) when your personal data has been unlawfully processed; and (v) when the Company has to comply with a legal obligation.
- Limitation: you may request the limitation of the processing of your personal data by the controller when the following conditions are met: (i) when you contest the accuracy of your personal data, within a period that allows the controller to verify it; (ii) when you have objected to the processing of your personal data by the controller on the grounds of legitimate or public interest, while the alleged grounds are being verified; (iii) when the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the formulation, exercise or defence of claims.
- Right to portability: the right to receive information about the processing of your personal data, in a structured, commonly used, machine‑readable and interoperable format, and to transmit it to another data controller, provided that the processing is legitimate on the basis of consent or within the framework of the performance of a contract and carried out by automated means. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Right to object: the right to object, on grounds relating to your particular situation, to processing based on legitimate interest or public interest, and the absolute right to object at any time to processing of your personal data for direct marketing purposes, including profiling related to such marketing.
- Rights related to automated decision‑making and profiling: where applicable, the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, and to obtain human intervention, express your point of view and contest the decision, in accordance with Article 22 GDPR and applicable Romanian rules.
These rights, as well as the presentation of claims or requests for clarification, may be exercised through the following e‑mail address, [email protected], or at4-6 Profesor Ion Bogdan street, ground floor, 1st district, Bucharest, 010539 , Romania, providing a copy of your ID card or other identification document along with the request for the right in question.
Also, we inform you that the Company, before providing you with information or facilitating the exercise of your rights, may perform various tasks to verify your identity or other details necessary to respond appropriately to your request. We will contact you within a maximum period provided by the GDPR and applicable Romanian law (normally one month from the date of your request, extendable where permitted).
Ultimately, and in case you do not agree with the exercise of your rights, you may request information and/or file a complaint with the Romanian Supervisory Authority: https://asfromania.ro/en/