Processing of personal data - NCC Försäkring
Last updated June 2022
This information text describes the processing of personal data for injured parties and designated contacts, and how we collect, use, store and protect your personal data.
“Personal data” means information that can directly or indirectly identify you as an individual, e.g. your name or IP address.
Who is the data controller for the processing of your personal data?
NCC Försäkringsaktiebolag (516401–8151) is the data controller for the processing of personal data in accordance with this information text.
From which sources do we collect personal data?
If an injury has occurred in connection with a visit to or in the immediate vicinity of one of NCC’s construction sites/facilities, NCC Försäkring will need to manage and administer the injury in relation to the NCC Group’s insurance policies. In the event of such management and administration, personal data is processed not only about the injured party but also about the designated contacts at the injured party’s/tortfeasor’s employer or client.
Which personal data do we collect?
We only collect the personal data that we need to handle and administer the claim, mainly in the following categories of personal data:
- Identity data. Data that makes it possible to identify you, e.g. your name and, where appropriate, your personal identity number or equivalent.
- Contact details. Information that makes it possible to contact you, e.g. address, email address and telephone number.
- Injury details. These may include location, date, sequence of events and scope.
- Created police report.
- Health data. Injury to a natural person
- Claim for compensation.
- Other details provided in the claim to fulfill a legal obligation.
If necessary in order to fulfill the purpose of the processing of personal data, in some cases we may also collect and process other types of personal data.
For which purposes and on which legal basis do we use your personal data?
Creating and administering an accident report
In connection with NCC becoming aware of an injury, NCC Försäkring will manage an accident report in which information is collected about the course of events and the actual injury. Accident reports are usually drawn up by the person at NCC who is responsible for the construction site/facility where the injury occurred and subsequently reported to NCC Försäkring.
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in establishing, asserting and defending legal claims for claim adjustment purposes Any sensitive personal data (data about health) and data about crimes are also processed for the establishment, assertion and defense of legal claims, i.e. in order for the entitlement to insurance compensation to be assessed by NCC’s insurance company. |
Managing and meeting legal requirements
We use your personal data if necessary for the establishment, assertion and defense of legal claims, e.g. in connection with a dispute or legal proceedings.
Personal data |
Legal basis |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in the establishment, assertion and defense of legal claims. In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims. |
Fulfilling legal obligations
NCC Försäkring processes personal data for the purpose of fulfilling legal obligations, e.g. with regard to taxation and accounting, capital requirements and risk assessment, etc. for insurance companies.
Personal data |
Legal basis |
|
Legitimate interest. The processing takes place in order to fulfill our legal obligations. |
Managing whistleblowing reports
NCC processes personal data about individuals mentioned in whistleblowing reports in order to be able to receive, investigate and provide feedback on such reports and to be able to take corrective action.
Personal data |
Legal basis |
|
Fulfilling legal obligations and legitimate interests. The processing takes place in order to fulfill legal obligations and our legitimate interest in being able to take corrective action where appropriate. If the NCC company concerned has fewer than 50 employees, the legal basis will be legitimate interest. In the event that NCC is processing data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to fulfill legal obligations and to be able to establish, assert and defend legal claims. |
How do we protect your personal data?
We take measures to ensure that the personal data we process is always protected and that our processing is carried out in accordance with applicable data protection rules, as well as our internal guidelines and procedures. Information security and ensuring the appropriate protection of personal data are of the utmost importance to us. We strive to implement security measures in accordance with the ISO 27000 international standard, in order to determine the appropriate level of protection for data, and to prevent and detect disclosure of personal data to unauthorized parties.
Which recipients do we share your personal data with?
Below we describe which recipients we share your personal data with. The recipients with whom we share your personal data will depend on how you interact with us. Unless stated otherwise below, the recipient is responsible for their own processing of your personal data.
Service providers
In order to process personal data, we share personal data with service providers that we have hired. These service providers provide e.g. IT services. When the service providers process personal data on our behalf and in accordance with our instructions, they are data processors for us and we are responsible for the processing of your personal data. Service providers may not use your personal data for their own purposes and they are required by law and contractual obligations with us to protect your data.
Group companies
The companies in the Group work collaboratively and therefore share information with each other. To the extent that Group companies process personal data on our behalf and in accordance with our instructions, e.g. to manage the assignment, they are data processors for us and we are responsible for their processing of your personal data.
Intended purpose |
Personal data |
Legal basis |
Communication between employees and third parties |
|
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in the communication between employees and third parties. |
Managing and meeting legal requirements |
Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis. |
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing and meeting legal requirements. |
Investigative and security reasons |
|
Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data for investigative and security reasons. In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims. |
Managing whistleblowing reports |
|
Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data in order to manage whistleblowing reports. |
Other categories of recipients
NCC may also disclose personal data to recipients outside the NCC Group such as:
Intended purpose |
Personal data |
Legal basis |
Courts, mediators and representatives |
In order to establish, assert and defend legal claims |
In order to satisfy our and your legitimate interest in having disputes settled by competent authorities. |
External insurance companies |
Enabling an external insurance company to process and investigate claims, including claims adjustment, any payment of compensation and/or recourse claims. |
In order to satisfy our legitimate interest in establishing, asserting and defending legal claims |
Government agencies |
To comply with legal obligations |
Fulfill legal obligations (e.g. in the fields of fiscal and insurance law). |
Potential buyers |
Implementing any divestment of all or parts of our business |
In order to satisfy our legitimate interest in implementing any divestment. |
Furthermore, NCC may disclose personal data to third parties such as IT suppliers, communication agencies and others who provide services that process personal data in accordance with NCC Försäkring's instructions and assignments.
Where do we process and store the personal data?
We always strive to store personal data within the EU. In some cases, your personal data is shared with recipients outside the EU/EEA, e.g. service providers hired by us.
To ensure that personal data is protected, we ensure that appropriate safeguards are in place with all service providers who process your personal data outside the EU/EEA, in light of the legislation of the recipient country. We normally enter into data transfer contracts that contain so-called standard contractual clauses for the transfer of personal data.
If you would like more information about the countries outside the EU/EEA to which we transfer your personal data, and the safeguards we have put in place to protect your personal data, please contact us, see below for contact details.
How long do we store your personal data?
NCC Försäkring retains your personal data for as long as necessary in order to fulfill the purposes set out in this information text, unless a longer retention period is required or permitted by local law to which NCC is subject. We use the following criteria to determine the retention period:
- the period in which the reported injury is the subject of investigation and subsequent handling.
- as long as we have an ongoing relationship with you (either as an individual or in your role as an employee of a firm hired by NCC Försäkring);
- as long as required by legal obligations to which NCC Försäkring is subject (such as fiscal and accounting obligations);
- as long as appropriate in light of our legal position (such as applicable provisions in statutes of limitations); and
- as long as necessary for other legitimate business reasons (e.g. follow-up on supplier relationships and documentation of the business).