top of page

Personal data protection

INFORMATION ON PERSONAL DATA PROTECTION – USERS OF INSURANCE SERVICES

This information has been prepared in connection with the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data from 25.05.2018.

 

The protection of your personal data is our priority. The organizational and technical measures we have taken ensure that your personal data will be processed lawfully, fairly and transparently, ensuring that your rights are respected. With this Notice on the processing of personal data, we would like to inform you of the following: what personal data will be processed, for what purposes and on what legal grounds, as well as to which categories of recipients your data may be provided. We will also inform you of the periods for which the data will be stored.

We recommend that you carefully read this information to understand how your personal data is processed in your capacity as a user of insurance services (insured, insured, third party beneficiary, third party injured party, as well as other persons who have rights under an insurance contract, or an individual who is interested in using insurance services), a representative of a counterparty, a legal entity or another interested person. This document also contains information about your rights and the ways in which you can exercise them.

1. Personal data administrator

Barents Insurance" EAD ("Barents"/ "the Company") with UIC: 207459862, with registered office and registered address: Sofia, 7-9 Uzundzhovska Street, is a Personal Data Administrator. The Company processes personal data of users of insurance services, including if you are a person under the age of 18. The Company determines the purposes and means of processing personal data and informs individuals about the processing of their data through "Information on Personal Data Protection". The Company, in its capacity as a Personal Data Administrator, carries out its activities in strict compliance with the requirements of the Personal Data Protection Act and "Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (the "Regulation") in order to ensure confidentiality and lawful processing of your personal data in accordance with the principles related to the processing of personal data specified in Art. 5 of Regulation (EU) 2016/679.

2. What is meant by personal data and what data do we process?

"Personal data" includes any information relating to a natural person (data subject) who is identified or can be identified, directly or indirectly, by means of an identifier such as: name, unique citizen number, permanent and current address, gender, telephone number, e-mail address, online identifiers by means of one or more characteristics specific to the physical, physiological, genetic, mental, mental, economic, cultural or social identity of that natural person.

 

"Processing of personal data" is any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

2.1. Categories of personal data

Barents processes various categories of personal data relating to your physical, social, economic, etc. identity, including health data. The data may be obtained from you as the data subject or from third parties under contracts concluded with the controller (insurance intermediaries, medical institutions, etc.), including from publicly available sources (Commercial Register, etc.), in view of the specified processing purposes. The company may process different categories of data, depending on the purpose of the processing, such as:

2.1.1. Basic data, including: full name, telephone number (mobile, landline, home, work), email address, permanent address (street, number, postal code, city, country), current address (street, number, postal code, city, country), information about the products and services provided by Barents used by you. This data is used primarily to offer you standard products and services that are similar or related to those you use, as well as to analyze the products and develop a strategy for their distribution, including conducting customer surveys, in order to improve our products and services and improve the customer experience.

2.1.2. Extended data (Extended data) , including: for identification (identification data) - full name, place and date of birth, citizenship, permanent and current address, data from an identity card or other identity document (passport, driving license, residence permit), personal identification number or other identification number, in accordance with applicable legislation, IP address of a device with Internet access used to access services provided by the Company, place of employment, risk profile, source of income (where applicable), marital status; for contact (contact data) - telephone number (mobile or landline), email address, permanent and current address, data of contact persons related to the client; for insurance risk assessment - data related to the needs and requirements of the client, age, health status, insured property, etc.; for providing consultations, products and services – identification data, contact data, information about health status, requirements and needs, qualifications, professional experience, products and services used, financial status, ability to take risks (where applicable), feedback, comments, suggestions, previous complaints; for fulfilling obligations under insurance contracts or settling insurance claims – data from third parties (insurance intermediaries, employers, doctors, medical institutions, government bodies, clients, contractors, partners, etc.), including information from public registers, location data, etc.; for participation in competitions, raffles and others – identification and contact data, information about products/services provided (depending on the specific competition), photographs (with explicit consent, if necessary); to ensure the security of processes, customer relationship management, analysis of products and their distribution strategy, customer experience and satisfaction - telephone calls related to the Company's main activity, to prove instructions from customers, complaints, staff training, as well as to improve the quality of products and services; for physical security - video surveillance; data collected through the Company's corporate website, received through digital portals/feedback forms, signals and inquiries, calculators for the purpose of providing products and services, improving processes, analysis of products and their distribution strategy, management of customer relationships and improving customer satisfaction - identification data, contact data, information about products and services used, information about the quality of the customer/person who is not a customer of the Company, additional information provided at the discretion of the data subject (responsibility for the content and admissibility of the additional information provided, including data provided to third parties, lies with the data subject); social media and third-party websites (when accessing the Company's official pages on social networks such as Facebook, Instagram, LinkedIn) - information about the person who accessed the relevant social network, which may become known to the Company; data related to the use of the Company's mobile applications for the purpose of providing products and services, improving processes, managing customer relationships, improving customer experience and satisfaction - identification and contact data, 'Push' notifications (messages that appear on the screen of the user's mobile device, including when not logged into the application, as a reminder to complete a request for a product or service, information, etc.), other notifications from the applications for which the client must give consent (consent can be withdrawn by turning off the service), additional data provided by the client, for which he is responsible; data collected through the use of cookies – information about stay, behavior, searches and others, the volume of which depends on the cookie settings that the client chooses, and the data is processed for the relevant purposes specified in the relevant electronic channel.

3. Why we process your personal data

3.1. The main purposes for the processing of personal data on the basis of the Administrator's legal obligations include:

• Comprehensive screening (identification, verification and acceptance) of users of insurance services;

• Preparation of reports to regulatory authorities;

• Control and prevention of insurance fraud and conflict of interest;

• Data and information systems protection;

• Provision of personal data to state and regulatory authorities when exercising their powers under law.

• Analysis of customer needs in order to fulfill the requirements of the Insurance Code for providing a product that meets the requirements and needs of the customer;

• Analysis of the products and the planned distribution strategy, including conducting customer surveys through any of the channels, including Barents offices, contact center, email, SMS, telephone, online channels, to assess at least whether the product still meets the needs of customers in the defined target market and whether the planned distribution strategy is still appropriate.

For the above purposes, the processing of personal data is based on legal obligations in the following regulatory acts - Insurance Code, Obligations and Contracts Act, Accountancy Act, Personal Income Tax Act, Tax and Social Security Procedure Code, etc.

 

3.2. The main purposes for the processing of personal data on the basis of the performance of a contract include:

• Insurance risk assessment and insurance premium calculation;

• Preparation of an individual proposal for insurance;

• Preparation of an insurance contract and fulfillment of legal obligations in connection with its conclusion;

• Processing of insurance claims in connection with insurance events that have occurred;

• Use of Barents products or services - (applications, portals, participation in raffles, competitions, etc.), created to facilitate access to the products or services provided and improve the customer experience.

For the above purposes, the processing of personal data is based on the concluded contract in compliance with the provisions of the Insurance Code and other applicable regulations.

 

3.3. The main purposes for processing personal data based on the legitimate interests of the controller include:

• Testing new and changes to existing software applications, demonstration platforms and internal company portals in order to:

  • updating, creating new and testing changes to existing functionalities,

  • testing of software applications in a secure environment for validation purposes. In this case, it is possible to outsource the testing to an external provider with whom the company has a contract. The contract explicitly stipulates the rights and obligations of the parties, including the relevant technical and organizational measures for security and protection of personal data processed for the specific purpose.

  • incident resolution – incident reenactment,

  • ensuring data protection

  • employee training, etc.;

• Research and development of products/services and analysis of market trends in order to provide better products to our customers;

• Direct marketing of Barents standard products and services – Barents offers its standard products and services only to current customers, who can therefore reasonably expect that their personal data may be processed to offer them new and better products and services, similar or related to the products or services they use.

• Managing customer relationships in order to offer appropriate insurance products and services, taking into account the individual preferences of each user, ensuring better and higher quality customer service, which includes sending messages by phone, email, SMS, letters, etc. in relation to the products used by the user, including conducting marketing research;

• Internal reporting, management information and optimization of processes in the organization, including data exchange in relation to activities that the Company has outsourced and assigned to another company for implementation (outsourcing of activities);

• Litigation - establishing, exercising and protecting the company's rights in legal proceedings and for settling legal disputes;

• Creation of analytical business models. The company builds analytical models to support the development of services for its clients and to evaluate the products and services offered. The collected data of all or large groups of clients are grouped by a certain characteristic in order to build models/establish dependencies/relationships/algorithms, without affecting the interests of the individual client and without taking any action in relation to him. To create such models, the company uses pseudonymized personal data, i.e. data that is masked in such a way that it cannot lead to the identification of a specific client without the need for additional information.

• Physical security – processing of personal data for the purposes of video surveillance in the company's offices.

• Fraud prevention and detection – The Company processes personal data of customers for the purpose of protection against fraud and criminal acts. Measures to prevent and detect fraud are implemented in the context of internal security rules, implementation of control, ensuring reliable protection of information stored on physical and electronic media, as well as in online portals.

• Customer relationship management – Personal data of customers, stored in various databases, could be grouped by a certain characteristic and processed through the company's various distribution channels (direct sales, insurance agents, contact centers), the purpose of grouping them being to facilitate and improve these channels for accessing information and servicing customers.

 

The processing of personal data for the above purposes is necessary to protect the legitimate interests of Barents as the Administrator of personal data. Each data subject has the right to object to the processing of his or her personal data for purposes based on the legitimate interests of the Administrator. When processing personal data for the purposes of direct marketing and customer relationship management, as a data subject, you have the right to object at any time to the processing of your personal data, and Barents will cease to use your data for these purposes.

4. How we collect and process your personal data

The Company collects your personal data directly from you through administrative personnel who are authorized to acquire documents in paper and/or electronic format both in the pre-contractual phase and during the management and performance of the employment/collaboration relationship with you.

If data is collected by third parties, we will inform you immediately, in accordance with Art. 14 GDPR.

In case you are required to provide special categories of personal data (e.g. health data or trade union membership information), they will be processed solely for the purpose of fulfilling contractual obligations and within the framework of the purposes stated above. The processing will only be carried out if it is strictly necessary to achieve legitimate objectives, while respecting the principles of proportionality and subsidiarity.

The processing of your personal data will be carried out by computer and manual methods, using logical criteria that are appropriate to the purposes of the processing, with explicit compliance with the confidentiality and security requirements provided for by law and internal policies. This includes comparison, classification, calculation and creation of lists or reports.

Some of your data may be processed by external organisations or professionals who perform the duties of external data processors pursuant to Article 28 of the GDPR (e.g. legal and accounting firms, employment consultants, etc.). These third parties may also process special categories of data related to the employment/collaboration relationship (such as health data to ensure safety at work), provided that there is prior authorisation from the data controller.

In some cases, your data may be provided to partners and suppliers to activate or deactivate profiles for authentication and authorization of data processed through electronic systems, or to provide access to specific software. This may also include situations where you use third-party data processing systems or with access privileges associated with credentials, such as in the case of a "system administrator".

Identification codes and additional elements, such as username and password for accessing systems, will be processed in accordance with legal security requirements to prevent abuse and litigation.

We are committed to processing your personal data in accordance with the principles of lawfulness, fairness and transparency, ensuring their confidentiality and security. All data collected will be used only for the purposes for which they were collected and appropriate technical and organizational measures will be taken to ensure their protection, as required by the GDPR. These measures ensure that access to your personal data is only permitted to authorized persons or third parties who process data on behalf of the controller.

5. Burden of providing personal data

The provision of personal data to the Data Controller is mandatory only for data for which there is a regulatory obligation (i.e. established by laws, regulations, measures of public authorities, etc.) or necessary for the performance of the employment contract and/or cooperation contract or in the face of a legitimate interest of the employer/contractor.

In the event of a regulatory or contractual obligation to provide the Data, the refusal of you, as the Interested Party, to provide the Data may result in a breach of the rules establishing such obligation (with possible consequences at the expense of the Interested Party) or a breach of contract (which may result in contractual or civil remedies for breach). In no event will the Company be able to carry out the operations that imply the processing of the aforementioned personal data, with all consequences and damages to be borne by the Interested Party.

In cases where you are free to provide your personal data, any refusal to provide it does not result in regulatory or contractual violations (with the corresponding consequences set out above).

However, if your data is necessary or extremely important for the performance of the contractual relationship (e.g. data related to your health), refusal to provide it may result in the inability to track operations related to such data (e.g. health certificates) or may otherwise result in delays in the performance of such operations.

Any refusal to provide data that is functional for our activities, other than those that are necessary or strictly necessary for the performance of the contractual relationship, may prevent the performance of further activities, but does not prevent the performance of the current contractual relationship.

6. To whom do we disclose your data?

The categories of recipients outside the company to whom personal data is disclosed include:

6.1 . Personal data administrators for whom there is a legal obligation to provide personal data: Financial Supervision Commission, Personal Data Protection Commission, Financial Intelligence Unit at the State Agency for National Security, National Revenue Agency, Consumer Protection Commission, judicial authorities, Prosecutor's Office, Ministry of Interior, etc.

6.2 . Administrators and processors of personal data who process personal data under a contract concluded with Barents upon application of appropriate technical and organizational measures: suppliers of products and services of the company, including providers of information and communication solutions, external lawyers and law firms, trusted services, assistance companies, providers of consulting services, marketing and market research agencies, external auditors; insurance agents and brokers in accordance with the requirements of the Insurance Code; reinsurers and co-insurers; medical institutions; other companies of Barents Re Reinsurance , etc.

6 .3. Recipients outside the European Economic Area (EEA) – It is possible that some of the recipients listed above are established outside the European Economic Area (third countries) . In this case, an adequate level of protection of personal data will be ensured, both in accordance with local and European legislation. The personal data provided will be sufficiently protected in the relevant third country and, if necessary, approval will be obtained from the Personal Data Protection Commission. Personal data may be provided to recipients of personal data from countries outside the EEA that are not treated as countries with an adequate level of personal data protection, provided that agreements for the processing and transfer of personal data are concluded with the recipients of personal data and standard contractual clauses approved by the European Commission are provided for and after a detailed assessment of the impact of the transfer on the rights of the personal data subjects has been carried out. The Company will take all necessary measures to protect personal data when their processing requires their provision to countries outside the European Economic Area.

8. How long and where do we store your personal data?

Your personal data is stored according to the legally established deadlines:

• Insurance contracts and documents related to their conclusion – maximum period of 12 years after termination of the legal relationship.

• Insurance claims and documents related to their processing – maximum period of 12 years after settlement of the insurance claim.

9. What are your rights as a data subject?

You have the following rights regarding the processing of your personal data:

• Right to access your personal data and provision of information about the purposes of processing, categories of personal data, recipients to whom personal data is disclosed, storage periods, etc.

• The right to withdraw your consent to the processing of your personal data at any time when the processing is based on your consent.

• Right to rectification – to request that your personal data be corrected if it is inaccurate or incomplete.

• Right to erasure (the right to be forgotten) – Your personal data to be deleted on the following grounds: the personal data are no longer necessary for the purposes for which they were collected/processed; when you withdraw your consent, when the data processing is based on consent; when there is no other legal basis for processing; when the data has been processed unlawfully, etc.

• Right to restrict processing for a certain period of time when the accuracy of the data is disputed or there is an objection to the processing based on the legitimate interests of the controller.

• Right to data portability – to receive your personal data in a structured, commonly used and machine-readable format when they are processed in an automated manner based on consent or contractual obligation, provided that there is a technical possibility to provide them.

• Right to object to the processing of your personal data where the processing is based on the legitimate interest of the controller. In case your objection concerns the processing of personal data for direct marketing and customer relationship management, we will unconditionally cease processing them for these purposes.

• Right to file a complaint with the Commission for Personal Data Protection (CPDP) or to the court regarding the processing of your personal data. You can find more information on the website of the Commission for Personal Data Protection: www.cpdp.bg, where you can file a complaint.

 

9.1. Exercising your rights

Any individual may exercise their rights by submitting a form application to any Barents office or alternatively by e-mail to dpo@barentsins.com, the application must be signed with a valid qualified electronic signature. You may at any time exercise the right to withdraw your consent to the processing of your personal data for the purposes for which the processing is based on consent by submitting a declaration of withdrawal of consent to our offices. Detailed information on how to exercise your rights can be found in the “Information on Personal Data Protection” on the Barents website - HOME | Barents Insurance .

 

In cases where you, as a data subject, exercise your rights, it is necessary to fill out a form for exercising the relevant right, which you should submit on paper to our office or by e-mail to dpo@barentsins.com, and the application must be signed with a valid qualified electronic signature.

Application forms are available in any of our offices or on the company's website ( HOME | Barents Insurance ), "Personal Data Protection" section , and will be provided to you by our employees upon request.

Applications to exercise your rights are submitted in person or by a person expressly authorized by you. When exercising your rights, Barents is obliged to identify you and verify your identity as a data subject. For this purpose, Barents may request a valid identification document from you when accepting an application to exercise a right and when providing the information requested by you. Alternatively, applications received by e-mail should be signed with a valid qualified electronic signature. According to the requirements of the Regulation, Barents should not respond to an application from a data subject if it is unable to identify the person and confirm their identity.

Barents provides information on the actions taken in connection with the submitted application for the exercise of rights within one month of receiving the application. If necessary, this period may be extended by another two months , taking into account the complexity and number of applications submitted. Barents will inform you of any extension within one month of receiving the application. You can ask your questions related to the processing of personal data in writing, both at your service office and electronically at e-mail: dpo@barentsins.com.

Documents

Captura de pantalla 2025-07-01 a la(s) 11.37.53 a. m..png

Declaration for Access to Personal Data

Captura de pantalla 2025-07-01 a la(s) 11.44.57 a. m..png

Declaration for Erasure of Personal Data

Captura de pantalla 2025-07-01 a la(s) 11.45.28 a. m..png

Declaration for Restricting the Processing of Personal Data

Captura de pantalla 2025-07-01 a la(s) 11.46.08 a. m..png

Declaration for the Exercise of The Right to Object

Captura de pantalla 2025-07-01 a la(s) 11.47.24 a. m..png

Declaration on the Portability of Personal Data

Captura de pantalla 2025-07-01 a la(s) 11.47.46 a. m..png

Declaration to Correct or Complete Personal Data

7. Where do we transfer your data?

As a rule, Barents does not transfer your personal data outside the European Union (EU) and the European Economic Area (EEA) except for internal relations with the Barents Re Reinsurance group, provided that adequate measures are in place to protect personal data.

bottom of page