The protection of your personal data is a priority for Primum - Mediador de Seguros, Lda. In accordance with Law No. 58/2019 of August 8, which ensures the implementation of Regulation No. 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter referred to as GDPR) in the national legal order, we are pleased to present our Privacy Policy. This policy will inform you about the new rules applicable to the processing of personal data provided through forms, websites, simulators, proposals, documents, or other means (hereinafter referred to as DOCUMENTS) by clients, potential clients, users, and consumers (hereinafter referred to as DATA SUBJECTS). It also outlines the rights that you are entitled to and how you can manage your consents directly and easily.

This Privacy Policy is of a general and abstract nature. Therefore, the information provided herein may be supplemented or overridden, in whole or in part, by other policies, notices, or information of a more specific nature that may have been or may be made available by Primum in the context of certain types of personal data processing.

Identity and Contact of the Data Controller

The data controller for personal data is Primum - Mediador de Seguros, Lda. (hereinafter referred to as PRIMUM).

PRIMUM, whose activity is regulated by Law No. 7/2019 of January 16 and the corresponding regulations published by ASF, depending on the category of insurance broker, in accordance with contracts, protocols, agreements, or conventions established with insurance companies – companies that have received authorization from the competent authority of one of the Member States of the European Union to carry out insurance activities (hereinafter referred to as INSURERS) – can have various forms and modes of relationship, business models, and performance regarding the INSURERS, reflecting on the purposes and means of processing personal data of the DATA SUBJECT. Therefore, PRIMUM may act, concerning data protection legislation, as a "Data Controller," "Processor," or "Joint Data Controller" of the personal data provided by the DATA SUBJECT when filling out DOCUMENTS, regardless of their medium, either directly or through intermediaries, or generated by PRIMUM, whether in the context of previous contacts, or in the conclusion, execution, renewal, or termination, through its intermediation, of the insurance contract or operation, or resulting from the same and relating to the DATA SUBJECT, whether as policyholder, insured, beneficiary or their representative, and also claimants or third parties and their representatives.

The PERSONAL DATA will be processed by PRIMUM, as the case may be, either as "Data Controller," "Processor," or "Joint Data Controller," for the purposes listed in section D) below, in strict compliance with the provisions of the applicable data protection legislation.

Data Protection Officer (DPO)

PRIMUM has a Data Protection Officer (DPO), who will be the contact point between PRIMUM and the DATA SUBJECT, for the exercise of the latter's rights regarding personal data, as provided in section M) of this Privacy Policy.

The DPO will perform their functions in accordance with Articles 37 to 39 of the GDPR and Article 11 of Law No. 58/2019 of August 8.

DPO Contact Information:

• Address:: Rua de São Mamede, n.º 955, 4745-456 São Mamede do Coronado
• Phone: +351 927 450 070
• Email: geral@primum-seguros.pt

Processing of Personal Data

The personal data of the DATA SUBJECT provided in the relationship established with PRIMUM are processed in accordance with the legally applicable principles, namely:

1. a. Processed lawfully, fairly, and transparently;
2. b. Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
3. c. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
4. d. Accurate and, where necessary, kept up to date; appropriate measures must be taken to ensure that inaccurate or incomplete data are erased or rectified, having regard to the purposes for which they were collected or for which they are further processed;
5. e. Kept in a form that permits the identification of data subjects only for the period strictly necessary and legally permitted for the purposes of collection or further processing.

Purpose and Lawfulness of Processing

The personal data of the DATA SUBJECT may be collected and processed by PRIMUM lawfully under the following circumstances:

1. a. The DATA SUBJECT has given their consent for the processing of their personal data for one or more specific purposes;
2. b. Compliance with legal obligations to which PRIMUM is subject, notably with authorities, including supervisory, tax, and judicial authorities;
3. c. Execution and management of the Insurance and Mediation Contract, or for pre-contractual steps, with the involvement of PRIMUM.

The processing of the DATA SUBJECT's personal data is based on the execution of the Insurance and Mediation Contract or for pre-contractual steps and the compliance with legal obligations imposed on PRIMUM, particularly in matters of supervision, tax, or judicial (cf. points b) and c) of paragraph 1 of Article 6 and points b) and h) of paragraph 2 of Article 9 of the GDPR).

Additionally, the personal data collected under point a) are for the purpose of Prospecting and commercial action by PRIMUM and for the management of the Insurance and Mediation Contract (cf. point a) of paragraph 1 of Article 6 of the GDPR) and in the legitimate interests of PRIMUM or third parties in the development and growth of their activity (cf. point f) of paragraph 1 of Article 6 of the GDPR).

Mandatory Personal Data for Compliance with Legal Obligation and Contractual Execution or Pre-Contractual Steps

The DATA SUBJECT is required to provide personal data to PRIMUM for the purposes outlined in points a) and b) of section D) above, under penalty of non-conclusion of the contract or contractual non-compliance. The communication of such data constitutes a legal, contractual, or pre-contractual obligation on the part of the DATA SUBJECT.

The failure by the DATA SUBJECT to provide personal data as outlined above constitutes non-compliance by PRIMUM with the legal and contractual obligations imposed on it. If the data are necessary for the conclusion and execution of an insurance contract, the lack of provision of such data implies the non-acceptance of the contract by the INSURERS, with the intervention of PRIMUM.

Indirect Collection of Personal Data

PRIMUM may collect information concerning the DATA SUBJECT that is deemed relevant for the assessment of the risk to be insured and the establishment of insurance terms by the INSURERS, with the intervention of PRIMUM, from publicly accessible sources, public bodies, industry associations, existing IT platforms, or specialized companies. This is to complement or confirm the information provided by the DATA SUBJECT within the scope of the pre-contractual and contractual insurance relationship management through PRIMUM, including the exercise of insurance mediation activities in accordance with the specifically applicable legislation, within the framework of fulfilling the duties of information, clarification, transmission, advice, assistance, and registration imposed by the said legislation.

Call Recordings

In the telephone contacts established between the DATA SUBJECT and PRIMUM, within the scope of its activity, PRIMUM may record the calls, upon prior information to the DATA SUBJECT and with their consent, for the management of the pre-contractual and contractual relationship through PRIMUM, and to fulfill legal and statutory obligations, particularly as a means of proof of information or instructions transmitted, and also to improve the services offered or contracted and to control their quality.

Recipients and Categories of Recipients of Personal Data

The personal data of the DATA SUBJECT may be disclosed, under a confidentiality agreement, to other companies that are in a relationship of control or dominance (Group), already established or to be established, that PRIMUM is or will become a part of. The identification and contact details of these companies can be requested from the Data Protection Contact at any time. These data may also be processed by other entities for which PRIMUM acts, if applicable, as a "Processor" or "Joint Data Controller," such as those to whom PRIMUM has subcontracted its processing, as well as by its co-mediators of insurance or Persons Directly Involved in the Insurance Distribution Activity (PDEADS). PRIMUM's personal data may also be processed by other INSURERS or co-mediators in the context of claims settlement.

Health Data

In the case of certain risk coverages to be transferred from the sphere of the DATA SUBJECT (namely, in health insurance, personal accident insurance, or others), which fall into the category of special and sensitive data, the presentation, proposal, conclusion, or execution of the insurance contract, with the legal and/or contractual intervention of PRIMUM, involves or may involve the processing of health data of the DATA SUBJECT. This processing can occur within the scope of the pre-contractual relationship for identification, risk analysis, and establishment of contractual conditions, as well as within the scope of the contractual relationship for coverage utilization, claims management, and in processes of renewal and contractual changes.

PRIMUM processes the data in question, either as a "Data Controller," "Processor," or "Joint Data Controller," for the purposes indicated above, with the consent of the DATA SUBJECT or their representative. This is without prejudice to cases where the processing is based on another legal ground (such as for the fulfillment of obligations and the exercise of specific rights of PRIMUM, the INSURERS, third parties, or the DATA SUBJECT themselves, in labor law, social security, and social protection matters, to the extent that such processing is permitted by European Union or Member State law or by a collective agreement that provides adequate safeguards for the fundamental rights and interests of the DATA SUBJECT). In these cases, the acceptance of the insurance contract by the INSURERS, with the intervention of PRIMUM, depends on the possibility of processing the health data of the DATA SUBJECT, without which it is impossible to analyze the proposed risk, conclude the insurance contract, transfer the risk, place and accept the desired coverage, or even maintain the contract in force with the INSURERS.

The processing of health data will be governed by the principle of necessity of knowledge. PRIMUM will ensure that all appropriate security measures are in place to safeguard the information and will ensure that all employees with access to the data are subject to the strict obligation of confidentiality.

The DATA SUBJECT will be notified of any access made to their personal data through traceability and notification mechanisms provided by PRIMUM.

PRIMUM will process health data within the terms and limits provided for in Article 29 of Law No. 58/2019 of August 8.

Rights of the Data Subject

Under the provisions of the GDPR, the DATA SUBJECT may request, at any time:

1. a. Access to their personal data:  they have the right to obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to their personal data and the information provided for in the GDPR.
2. b. Rectification of their personal data: they have the right to obtain from PRIMUM without undue delay the rectification of inaccurate personal data concerning them.
3. c. Erasure of their personal data: they have the right to obtain from PRIMUM the erasure of their personal data without undue delay, and PRIMUM has the obligation to erase personal data without undue delay when one of the following grounds applies:
4. 1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
5. 2. The DATA SUBJECT withdraws consent on which the processing is based (when the processing is based on consent) and where there is no other legal ground for the processing;
6. 3. The DATA SUBJECT objects to the processing and there are no overriding legitimate grounds for the processing;
7. d. Restriction of processing: they have the right to obtain from PRIMUM restriction of processing where one of the following applies:
8. 1. The accuracy of the personal data is contested by the DATA SUBJECT, for a period enabling the controller to verify the accuracy of the personal data;
9. 2. The processing is unlawful and the DATA SUBJECT opposes the erasure of the personal data and requests the restriction of their use instead;
10. 3. PRIMUM no longer needs the personal data for the purposes of the processing, but they are required by the DATA SUBJECT for the establishment, exercise, or defense of legal claims;
11. 4. The DATA SUBJECT has objected to processing, pending the verification whether the legitimate grounds of PRIMUM override those of the DATA SUBJECT.
12. e. Right to object to processing: where the processing is based on the legitimate interests pursued by PRIMUM, the DATA SUBJECT has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them. PRIMUM will cease processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the DATA SUBJECT, or for the establishment, exercise, or defense of legal claims.
13. f. Right to data portability: they have the right, under the terms and conditions defined by law, to receive the personal data concerning them, which they have provided to PRIMUM, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if:
14. 1. The processing is based on consent or on a contract;
15. 2. The processing is carried out by automated means.

If the requests made by the DATA SUBJECT are manifestly unfounded or excessive, particularly due to their repetitive nature, PRIMUM may (i) charge a reasonable fee taking into account the administrative costs of providing the information or communication, or taking the action requested, or (ii) refuse to act on the request.

Regarding the personal data whose processing by PRIMUM is based on the consent provided by the DATA SUBJECT, the right to withdraw consent is granted, without affecting the lawfulness of processing based on consent before its withdrawal, nor the further processing of the same data based on another legal ground, such as the fulfillment of a contractual or legal obligation to which PRIMUM is subject.

The DATA SUBJECT also has the right to lodge a complaint with the National Data Protection Commission.

Retention Period of Personal Data

1. a. Notwithstanding any legal or regulatory provisions to the contrary, the personal data collected will be retained for the minimum period necessary for the purposes that motivated their collection or subsequent processing.
2. b. Notwithstanding the provisions of the previous paragraph, the personal data of the DATA SUBJECT collected by PRIMUM will be retained for the following periods:
3. 1. Purposes based on the execution and management of the insurance contract and insurance mediation or pre-contractual steps: until the legal prescription period of all obligations arising from the insurance contract and the related mediation activity has expired. In the case of non-conclusion of a contract, the data collected in the pre-contractual phase for which there is no special retention period will be deleted after 6 (six) months from the last contact established between PRIMUM and the DATA SUBJECT.
4. 2. Purposes based on consent or legitimate interest: until the end of one year after the end of the contractual and legal relationship.
5. 3. Purposes based on the fulfillment of legal obligations: the applicable period at any given time for each legal and statutory obligation to be fulfilled. Until the expiration of the prescription or expiry period for exercising rights.
6. 4. Purposes related to call recordings: for the periods indicated in the resolutions of the National Data Protection Commission (CNPD) that define the principles applicable to the processing of call recording data, namely, Resolution No. 1039/2017.
7. c. The right to erasure of the DATA SUBJECT can only be exercised after the data retention period imposed by law has expired.

Automated Decisions

In the context of underwriting and renewing insurance contracts or operations, INSURERS may use automated decision-making solutions that are necessary for the conclusion and execution of the respective insurance contract or operation, with the intervention of PRIMUM. This involves using information about the policyholder or insured obtained in the context of managing the contractual or pre-contractual relationship, which may lead to decisions regarding applicable contractual conditions during underwriting or renewal.

The DATA SUBJECT can request more detailed information from the Data Protection Officer about the logic underlying these processes, within the scope of underwriting and renewal of contracts, through PRIMUM. This includes information considered for automated decision-making and how it integrates into the INSURERS' decision-making process. In all cases where INSURERS make decisions solely based on automated data processing, the processes will include mechanisms that allow the data subject to:

1. a. Express their point of view;
2. b. Contest the decision;
3. c. Request and obtain human intervention from the INSURERS, directly or through PRIMUM, in reviewing the decision.

Confidentiality and Integrity of Personal Data

PRIMUM applies appropriate technical and organizational measures to ensure an adequate level of security relative to the risk, by maintaining the DATA SUBJECT's personal data on file.

PRIMUM has a computer system capable of withstanding, with a high level of reliability, accidental events or malicious or illegal actions that compromise the availability, authenticity, integrity, and confidentiality of the personal data stored or transmitted, as well as the security of related services offered or accessible through these networks and systems.

International Data Transfers to Other Entities

As a rule, the personal data collected will not be transferred to any entity established outside the territory of the European Union.

Exceptionally, and under certain conditions, PRIMUM may transfer your personal data to countries outside the European Union, in accordance with applicable legislation, particularly for data hosting or storage purposes, technical subcontracting of processing, backup and recovery of hosted data, and service development.

PRIMUM will not transfer your personal data to countries that do not ensure an adequate level of protection according to the GDPR.

Liability

The DATA SUBJECT who has suffered any damage due to the lawful processing of data that violates the provisions of the GDPR or Law No. 58/2019 has the right to obtain compensation for the damage suffered from PRIMUM or the subcontractor.

PRIMUM or subcontractors will not incur civil liability if they can prove that the event causing the damage is not attributable to them.

Changes to the Privacy Policy

This Privacy Policy may be periodically amended, by publication on the PRIMUM website or by dissemination through any means that leaves a written record, including email or postal mail, without the need for prior and express consent of the DATA SUBJECT.

Any significant changes will be communicated with the corresponding level of publicity according to their relevance, either by highlighting them in the online publication or, if the relevance justifies it, by individualized communication to the DATA SUBJECTS.

This policy was last updated on 05/03/2024.