Processing of personal data - NCC Försäkring

Last updated June 2022

This information text describes the processing of personal data for injured parties and designated contacts, and how we collect, use, store and protect your personal data.

“Personal data” means information that can directly or indirectly identify you as an individual, e.g. your name or IP address.

Who is the data controller for the processing of your personal data?

NCC Försäkringsaktiebolag (516401–8151) is the data controller for the processing of personal data in accordance with this information text.

From which sources do we collect personal data?

If an injury has occurred in connection with a visit to or in the immediate vicinity of one of NCC’s construction sites/facilities, NCC Försäkring will need to manage and administer the injury in relation to the NCC Group’s insurance policies. In the event of such management and administration, personal data is processed not only about the injured party but also about the designated contacts at the injured party’s/tortfeasor’s employer or client.

Which personal data do we collect?

We only collect the personal data that we need to handle and administer the claim, mainly in the following categories of personal data:

  • Identity data. Data that makes it possible to identify you, e.g. your name and, where appropriate, your personal identity number or equivalent.
  • Contact details. Information that makes it possible to contact you, e.g. address, email address and telephone number.
  • Injury details. These may include location, date, sequence of events and scope.
  • Created police report.
  • Health data. Injury to a natural person
  • Claim for compensation.
  • Other details provided in the claim to fulfill a legal obligation.

If necessary in order to fulfill the purpose of the processing of personal data, in some cases we may also collect and process other types of personal data.

How do we protect your personal data?

We take measures to ensure that the personal data we process is always protected and that our processing is carried out in accordance with applicable data protection rules, as well as our internal guidelines and procedures. Information security and ensuring the appropriate protection of personal data are of the utmost importance to us. We strive to implement security measures in accordance with the ISO 27000 international standard, in order to determine the appropriate level of protection for data, and to prevent and detect disclosure of personal data to unauthorized parties.

Which recipients do we share your personal data with?

Below we describe which recipients we share your personal data with. The recipients with whom we share your personal data will depend on how you interact with us. Unless stated otherwise below, the recipient is responsible for their own processing of your personal data.

Service providers

In order to process personal data, we share personal data with service providers that we have hired. These service providers provide e.g. IT services. When the service providers process personal data on our behalf and in accordance with our instructions, they are data processors for us and we are responsible for the processing of your personal data. Service providers may not use your personal data for their own purposes and they are required by law and contractual obligations with us to protect your data.

Group companies

The companies in the Group work collaboratively and therefore share information with each other. To the extent that Group companies process personal data on our behalf and in accordance with our instructions, e.g. to manage the assignment, they are data processors for us and we are responsible for their processing of your personal data.

Intended purpose

Personal data

Legal basis
Communication between employees and third parties
  • Remuneration data
  • Billing data
  • Identity data
  • Communication
  • Contact details

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in the communication between employees and third parties.

Managing and meeting legal requirements

Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis.

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing and meeting legal requirements.

Investigative and security reasons
  • Image material
  • Identity data
  • Incident data
  • Communication
  • Contact details
  • Billing data
  • Remuneration data
  • Log data
  • Profile data

Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data for investigative and security reasons. In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims.

Managing whistleblowing reports
  • Identity data
  • Communication
  • Contact details
  • Profile data
  • Remuneration data
  • Billing data

Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data in order to manage whistleblowing reports.

Other categories of recipients

NCC may also disclose personal data to recipients outside the NCC Group such as:

Intended purpose

Personal data

Legal basis
Courts, mediators and representatives

In order to establish, assert and defend legal claims

In order to satisfy our and your legitimate interest in having disputes settled by competent authorities.

External insurance companies

Enabling an external insurance company to process and investigate claims, including claims adjustment, any payment of compensation and/or recourse claims.

In order to satisfy our legitimate interest in establishing, asserting and defending legal claims

Government agencies

To comply with legal obligations

Fulfill legal obligations (e.g. in the fields of fiscal and insurance law).

Potential buyers

Implementing any divestment of all or parts of our business

In order to satisfy our legitimate interest in implementing any divestment.

Furthermore, NCC may disclose personal data to third parties such as IT suppliers, communication agencies and others who provide services that process personal data in accordance with NCC Försäkring's instructions and assignments.

Where do we process and store the personal data?

We always strive to store personal data within the EU. In some cases, your personal data is shared with recipients outside the EU/EEA, e.g. service providers hired by us.

To ensure that personal data is protected, we ensure that appropriate safeguards are in place with all service providers who process your personal data outside the EU/EEA, in light of the legislation of the recipient country. We normally enter into data transfer contracts that contain so-called standard contractual clauses for the transfer of personal data.

If you would like more information about the countries outside the EU/EEA to which we transfer your personal data, and the safeguards we have put in place to protect your personal data, please contact us, see below for contact details.

How long do we store your personal data?

NCC Försäkring retains your personal data for as long as necessary in order to fulfill the purposes set out in this information text, unless a longer retention period is required or permitted by local law to which NCC is subject. We use the following criteria to determine the retention period:

  • the period in which the reported injury is the subject of investigation and subsequent handling.
  • as long as we have an ongoing relationship with you (either as an individual or in your role as an employee of a firm hired by NCC Försäkring);
  • as long as required by legal obligations to which NCC Försäkring is subject (such as fiscal and accounting obligations);
  • as long as appropriate in light of our legal position (such as applicable provisions in statutes of limitations); and
  • as long as necessary for other legitimate business reasons (e.g. follow-up on supplier relationships and documentation of the business).