Processing for other purposes
Shared
Heading
For information and IT security
Purpose description
We process your personal data in order to be able to protect our IT systems so that they function correctly and securely, to investigate IT security incidents and to be able to recreate the data in the systems if necessary.
What information is processed and how?
We process personal data for all our purposes with the support of various IT systems, which also means that all data, including personal data, is continuously backed up. This is so that we can restore and recreate all data in our systems in the event of an incident.
Data such as IP address and information about the device requesting access to our systems (usually a computer or a mobile) is used to protect our IT systems against unauthorised intrusions, overload and other security risks. We check calls to our systems against IT security providers' lists of reported IP addresses.
We also log when information is made available, registered, changed or deleted. We use the logs partly to troubleshoot when something does not work as it should, and partly to investigate suspicions of a security incident.
Legal basis and your rights
We base our processing of your personal data on a so-called legitimate interests. The processing is necessary for us to be able to protect our IT systems and to be able to reproduce the data in the systems if necessary. The aim is to ensure that the IT systems function correctly and to comply with guidelines on data protection, IT security or information security such as the European Insurance and Occupational Pensions Authority's (EIOPA's) Guidelines on information and communication technology security and governance.
Your rights according to the GDPR
How long do we store the information?
Backup copies of the data in our IT systems are continuously updated and old versions are deleted after a maximum of 13 months.
We store the logs that we use to troubleshoot and investigate any incidents for up to 13 months.
The lists of reported IP addresses are continuously updated and history is not stored.
Data processed to monitor the systems against unauthorised intrusions, overload and other security risks is not normally stored. However, if a call to our systems is blocked for security reasons, information about this is stored for up to three months.
Data controllers, data processors and other recipients
The following companies are joint data controllers for the processing described related to the county insurance companies' common IT systems:
-
All local regional insurance companies
-
Agria Pet Insurance UK
-
Länsförsäkringar AB
-
Försäkringsaktiebolaget Agria
-
Länsförsäkringar Bank AB
-
Länsförsäkringar Fondförvaltning AB
-
Länsförsäkringar Hypotek AB
-
Länsförsäkringar Fondliv Försäkrings AB
-
Länsförsäkringar Grupplivförsäkrings AB
-
Länsförsäkringar Liv Försäkrings AB
The joint data controllers have determined their respective responsibilities for fulfilling the obligations under the GDPR through a mutual arrangement. You have the opportunity to obtain the significant content of the arrangement by contacting Agria.
Försäkringsaktiebolaget Agria is the personal data controller for the processing of personal data in order to protect Agria's own IT systems against unauthorised intrusion, overload and other security risks.
Agria Pet Insurance UK provides support with management, development, testing and support of our IT systems. For this purpose, Agria Pet Insurance UK, in its capacity as personal data processor, has the opportunity to access the data that is processed in the systems for Agria.
We may disclose data from this processing to law enforcement authorities in connection with investigations of suspected IT attacks.
Heading
To manage and develop IT systems
Purpose description
We process your personal data to troubleshoot, provide you and our employees with technical support when you experience problems, and to further develop and test our IT systems.
What information is processed and how?
The processing of personal data that we describe in the aggregated information about our processing of personal data is carried out using various IT systems. Within the framework of the administration of these systems, we sometimes process your personal data to troubleshoot and investigate the causes of technical problems and when we provide technical support to you or an employee handling a case that concerns you.
In some cases, we register a case in our case management system to have information about your problem if it persists or reoccurs.
When testing the systems in connection with development, we primarily use fictitious personal data. In some situations, such as for testing high loads, this may be insufficient and real data available in the systems may need to be used.
Legal basis and your rights
We base our processing of your personal data on a so-called legitimate interest. The processing is necessary so that we can troubleshoot, provide you and our employees with good technical support and test our IT systems in connection with development to ensure that the changes work as intended. We undertake development to improve and streamline our products and services.
Your rights according to the GDPR
How long do we store the information?
Your cases are stored for up to three years after the case is closed.
Personal data used when testing the systems is deleted from the test environment as soon as the test is finished.
Data controllers, data processors and other recipients
The following companies are joint data controllers for the processing in the county insurance companies' common IT systems:
-
All local regional insurance companies
-
Agria Pet Insurance UK
-
Länsförsäkringar AB
-
Försäkringsaktiebolaget Agria
-
Länsförsäkringar Bank AB
-
Länsförsäkringar Fondförvaltning AB
-
Länsförsäkringar Hypotek AB
-
Länsförsäkringar Fondliv Försäkrings AB
-
Länsförsäkringar Grupplivförsäkrings AB
-
Länsförsäkringar Liv Försäkrings AB
The joint data controllers have determined their respective responsibilities for fulfilling the obligations under the GDPR through a mutual arrangement. You can obtain the significant content of the arrangement by contacting Agria.
We hire IT consulting companies as personal data processors for the management, development, testing and support of our IT systems. In connection with these processes, personal data may be transferred to India by giving the processor's staff there access to our systems. The transfer takes place with the support of standard contractual clauses according to Article 46.2 of the GDPR in combination with supplementary protective measures. For example, access to our network and IT systems can only take place using devices (computers and mobile phones) that have been configured by us. Access is then encrypted via a virtual private network (VPN) with multi-factor authentication, which means that in addition to the username and password, a one-time code generated on another device such as the employee's mobile phone is required.
When developing services that require integration with other actors' IT systems, such as partners in our claims settlement process, we may need to transfer personal data in connection with tests to ensure that the service will work as it should.
Försäkringsaktiebolaget Agria is the personal data controller for the processing of personal data in Agria’s own IT systems.
Agria Pet Insurance UK provides support with management, development, testing and support of our IT systems. For this purpose, Agria Pet Insurance UK, in its capacity as personal data processor, has the opportunity to access the data that is processed in the systems for Agria.