General

Verna MGA ehf, registration no. 610421-0830, Ármúli 13, 108 Reykjavík, values individual privacy and takes data protection very seriously. Verna places great emphasis on ensuring that the processing of personal information is always in compliance with applicable data protection legislation. This notice outlines the personal information the company collects about individuals in relation to its operations and for what purposes. Additionally, it provides information on other recipients of the data and how long the company retains it. It also includes details about the basis on which Verna collects personal information, the rights individuals are entitled to, and other important information related to the Data Protection and Processing of Personal Data Act No. 90/2018 (hereafter referred to as the Data Protection Act).

Verna acts as an agent for the insurance company TM tryggingar hf. (hereafter "TM"). TM operates under a license issued by the Financial Supervisory Authority. TM’s purpose is to engage in all types of insurance activities and related operations permitted by law. TM is responsible for the processing and handling of personal information within its operations. In connection with the execution of insurance agreements, Verna, as TM’s agent, may process personal information where TM is the data controller, and Verna acts as the data processor. For the processing of personal data related to Verna's services not connected to the execution of an insurance agreement, Verna is considered the data controller. Customers can access TM’s privacy policy here.

What Are Personal Data and the Processing of Personal Data?

Personal data refers to any information that can be linked to a specific individual, such as information about their name, social security number, address, email address, phone number, financial status, health, IP address, and more. Further definitions of personal data can be found in points 2 and 3 of Article 3, Paragraph 1 of the Data Protection Act.

Sensitive personal data refers to personal information that is afforded special protection under the Data Protection Act, such as information about racial or ethnic origin, political or religious beliefs, trade union membership, genetic data, health, data concerning a person’s sex life or sexual orientation.

The processing of personal data refers to any handling or use of personal information, such as its collection, registration, storage, modification, or deletion. A more detailed definition of the processing of personal data can be found in point 4 of Article 3, Paragraph 1 of the Data Protection Act.

Purpose of Collecting Personal Data

The purpose of collecting personal data is to:

• Fulfill contractual obligations, for example, with employees and business partners.
• Provide requested services to customers.
• Protect the legitimate interests of the company.
• Comply with legal obligations.

Legal Basis for Processing Personal Data

Verna collects and processes personal data based on the following legal grounds:

• Based on the consent of individuals.
• To fulfill contractual obligations.
• To comply with legal obligations.
• To protect the legitimate interests of the company.
• To establish, pursue, or defend a legal claim.

How Does Verna Process Personal Data?

At Verna, the processing of personal data is conducted on a lawful basis and in compliance with the Data Protection and Processing of Personal Data Act No. 90/2018. The company ensures that personal data is not processed further in a way that is incompatible with the original purpose of the processing.

The company adheres to the following key principles:

1. Personal data is processed in a fair manner.
2. Personal data is collected only for clear purposes.
3. No more personal data is collected than necessary.
4. Personal data is accurate and updated when needed.
5. Personal data is not stored longer than necessary.
6. Appropriate security measures are taken to protect personal data.

In the design of its solutions, Verna has aimed to follow the design principles of The Good Data Institute[2], which, for example, emphasise that data collection and processing should be based solely on the informed consent of customers, enhance individuals' ability to make decisions, and, where possible, allow the public to benefit from open access to useful anonymised information.

Specifically, the company collects and processes personal data to:

• Reduce customer risk
• Minimize potential losses customers may face
• Assess and price risks in a new and fairer way
• Automate and improve services
• Ensure fair and faster claims payments
• Strengthen relationships with customers
• Develop new insurance products and services that meet customers' evolving needs

Verna will also explore with its partners the possibility of providing access to anonymized traffic data, which could, for example, be used to analyze traffic bottlenecks or identify hazardous road sections. Over time, this could contribute to improved and safer road networks.

Verna will never sell customer data to third parties. Additionally, Verna will never use driving data collected through its app, which is used to generate driving scores, for liability assessments in the event of accidents involving its customers.

Whose Personal Data Does Verna Collect?

In its operations, the company needs to collect and process personal data about different groups of individuals.

The personal data handled by the company may include information about its employees, job applicants, business partners, potential policyholders (i.e., individuals requesting an insurance quote or those the company wishes to offer a quote to), customers such as policyholders, spouses and children of policyholders or potential policyholders, and other third parties with whom communication is necessary.

These third parties may include individuals who have suffered a loss and are making a claim under the insured party's liability insurance, drivers involved in the operation of a registered motor vehicle during a collision or other traffic incident, witnesses providing information about an incident, or those paying premiums on an insurance policy.

An individual may also choose to authorise another party or grant them legal permission to act as an intermediary in communications with Verna. In such cases, the identification and contact information of that authorised individual may be recorded.

How Long Does Verna Retain Personal Data?

Verna retains data and information as required by law or as long as there are legitimate reasons to do so. When there are no longer legitimate reasons to retain information, it is either deleted or, when appropriate, anonymised/encrypted.

Examples of retention periods for personal data are as follows:

• Insurance applications, contract documents, and claims data for individuals are retained as long as the business relationship exists, unless statutory limitation periods specify otherwise.
• As an agent of TM, customer transaction records are retained by Verna for at least 5 years in accordance with the guidelines of the Central Bank of Iceland (No. 1/2019) regarding the risks associated with operating information systems for regulated entities.
• Accounting records are retained by Verna for at least 7 years from the end of the fiscal year, in accordance with the Accounting Act No. 145/1994.
• Verna retains certain data about individuals indefinitely, such as information about the insurance coverage an individual has purchased, specific claims data, and other relevant details.
• Driving data is stored for a minimum of four years. Verna's processing agreements with Floow ensure that data is only stored in anonymized form within the company's systems, located within the European Economic Area and the United Kingdom.
• Marketing referral data, such as when you refer friends or family to Verna, is retained for a maximum of 6 months if the referred individual does not purchase services from Verna within that period.

Automated Decision-Making

Automated decision-making is the process where decisions are made automatically without any human involvement. Such decisions can be based on profiling, i.e., when personal data is used to assess certain aspects of an individual's situation, particularly to analyze or predict factors related to their performance at work, financial status, health, etc.

Verna conducts a risk assessment for each applicant and customer, which forms the basis for insurance pricing. The risk assessment is automated and based on factors such as age, engine size and fuel type of the vehicle, family circumstances, previous claims history, and more.

Additionally, Verna uses the company's app to assess the risk that customers take while driving, calculating a monthly driving score, which can then lead to adjustments in the premiums for the following month.

What Personal Data Does Verna Collect?

Verna collects various types of personal data about different groups of individuals depending on the nature of the company's operations. Under all circumstances, the company aims to collect only the personal data necessary for the purpose of processing.

In certain cases, the company needs to collect sensitive personal data, such as health information and union membership of employees. Special care is taken in handling such data.

Verna collects and processes the following categories of personal data:

Application Process

Verna allows customers to purchase insurance through the company's app. In the application process, Verna requests personal information such as personal identification number, name, address, email, phone number, vehicle registration number, and payment card and bank details. With the customer's consent, this information is then used to obtain additional data from third parties (see the section below titled “Data Processing and Third Parties”). This data processing is necessary to allow Verna to assess and price the risk of insuring the customer's vehicle, to evaluate the customer's insurance needs, to send offers to customers, to send terms and conditions, to sign an insurance contract with customers, to send insurance certificates to customers, and to prevent fraud.

Verna acts as a data processor for TM in relation to the above processing.

Management and Insurance Services

Verna collects various personal and non-personal data about customers when providing services to them. The data collected, how long it is stored, and how quickly it can be deleted upon customer request depend on the specific service the customer requests or uses from Verna. The following data is stored in Verna’s systems, among others:

• Name, personal identification number, address, phone number, and email address.
• Bank details, such as payment card information.
• Information regarding the customer's interest in services or information about their hobbies if the customer has shared this or if Verna determines it based on the customer's usage.
• Communication between the customer and Verna, such as phone calls/emails/online communications to Verna representatives or other interactions with the company or its affiliates. Phone calls with Verna employees who are in direct communication with customers are recorded to verify verbal communication (e.g., business instructions). Verna records phone numbers and communication details, such as email addresses, along with the content of the communication.
• Information about the customer’s transactions with Verna, such as the type of service, product purchases, account history, account amounts, outstanding balances, and other details related to the customer’s account.
• Phone numbers and email addresses of individuals the customer refers to Verna for business purposes.
• Customer’s usage of Verna’s website, such as the pages they visit.
• Claims data, including the type of claim, claim date, claim location, and cost of damages.
• Information about the customer's use of Verna's mobile app.
• System-related information connected to the customer, such as technical error messages, system failures/incidents, and their timestamps.

Verna acts as a data processor for TM in relation to the above processing.

Claims Information

The nature of Verna's services involves receiving damage notifications and claims data from customers, police, insurance companies of other drivers, and service providers offering on-site assistance when vehicles are involved in accidents, such as Aðstoð og öryggi ehf. and Króki ehf. When processing claims, the company may request additional information from customers.

Customers can report accidents through the company's mobile app, and later also via Verna's website. During the claims notification process, customers are typically asked to provide the following information:

• Which vehicle(s) were damaged, e.g., one or more vehicles.
• Name and personal identification number of the driver and any other drivers involved in the accident.
• Phone numbers and email addresses of other drivers involved in the accident.
• Date and time the accident occurred.
• Location of the accident.
• Photographs of the damaged vehicles and the surrounding area.
• A description of what happened, and customers have the option to submit either audio recordings with their account of the incident or written descriptions.

Before submitting the claim notification, customers are asked to electronically sign it.

Customers may choose to call Aðstoð og öryggi ehf. to assist with obtaining and processing information about the incident. Aðstoð og öryggi ehf. forwards the claim report to the insurance companies of all involved parties as well as Verna’s customer.

If the accident results in injuries or if any of the parties involved in the incident is under the influence of alcohol or other substances, the police are always called, and they prepare a police report, which is then shared with the insurance companies of all involved parties.

All of the above information is necessary for assessing the damage and processing claims payments.

Verna acts as a data processor for TM in relation to the above processing.

Processing of Accident Victims' Claims

In the processing of claims involving injuries to individuals, Verna, and/or the insurance company TM, must gather additional information from the accident victim and health authorities regarding health conditions, including injury and health-related data before and after the accident. Furthermore, Verna or TM may collect information about the victim's wages, employment status, disability pension rights with a pension fund, one-time disability benefits from public insurance, and more, according to Section 4, Subsection 5 of the Compensation Act No. 50/1993.

The purpose of this data collection and processing is to assess liability for damages and the amount of compensation. This information is collected with the consent of the individual involved (the insured or other accident victims), as per Item 1, Subsection 1 of Article 11 of the Data Protection Act. The information is also shared with experts, such as a consulting physician and a lawyer, who assess the consequences of physical injuries in accordance with the insurance agreement or Compensation Act No. 50/1993.

Verna is responsible for registering accident victims, while TM handles the processing of accident claims in Verna’s systems. Here is a link to TM's privacy policy.

Verna acts as a data processor for TM in connection with the aforementioned processing.

Driving Data 

Verna’s mobile app uses sensors commonly found in smartphones today to create driving scores for users, which are used to calculate customer premiums and provide them with access to information that helps improve their driving.

The Verna app uses the following sensors:

• Accelerometer: Used to assess how harshly the vehicle starts, brakes, or changes lanes.
• Gyroscope: Used to determine whether the phone is being held during driving, for example, to answer emails or text messages.
• Proximity sensor: Can detect if the phone is being held near the face.
• Magnetometer: Used to assess the acceleration of the vehicle in and out of turns.
• Screen unlock: Used to check whether the phone is being used while driving.
• GPS data: Used to assess where the vehicle has been driven, how long the trip lasted, and how fast the vehicle was traveling.

These sensors are used to generate a total driving score for each customer, along with five sub-scores for aspects like smoothness, speed, distraction, time of day, and fatigue while driving. Verna has an agreement with the British company Floow, which specializes in interpreting smartphone data into driving scores, and works with many of the largest insurance companies worldwide.

To ensure privacy, Verna only stores very specific driving data in its systems, such as the total driving score and sub-scores for each customer (e.g., smoothness, speed, distraction, time of day, and fatigue while driving). Verna neither collects nor stores data about individual trips (e.g., trip scores, what caused a low or high score, or map data showing where the customer drove), as this data is kept in a personally identifiable form in the customer’s phone.

To maintain this separation, Verna's collaboration with Floow ensures that a new anonymous identifier is created each time a new customer enters into a business relationship with Verna. Verna does not share any personally identifiable information with Floow in this process. Verna passes an anonymous identifier to Floow through the Verna app. The app then transmits trip data to Floow via encrypted communications, along with the anonymous identifier. The customer’s phone subsequently retrieves processed driving data directly from Floow, using the same anonymous identifier.

Floow then returns the total and sub-scores for each anonymous identifier, along with the number of trips, total kilometers driven, and total driving time. This ensures that Floow never knows who owns the phone and that Verna only stores total scores, sub-scores, the number of trips, total driving time, and total kilometers driven for each customer in its systems. Verna does not store driving data about individual trips, such as speed, smoothness, time of day, fatigue, distractions, driving events, or maps of each trip.

Customer privacy is further ensured by allowing customers 48 hours after a trip to delete individual trips. If a customer systematically deletes poor trips, Floow will flag this behavior to Verna, and this could lead to an increased risk assessment for that customer.

Verna will not use the driving data for liability assessments related to accidents in which customers are involved. The separation of roles between Verna and Floow ensures that the company cannot use driving data to assess customer liability in specific incidents.

Verna also does not store any data in its systems about whether traffic laws have been violated. For example, the speed score a customer receives for each trip does not indicate whether the customer exceeded the speed limit but measures the so-called "environmental speed"—i.e., whether the customer drove a particular road segment much faster or slower than other drivers on average. In this way, very slow driving can be just as dangerous as very fast driving.

Verna is a data processor for TM in relation to the above processing.

Email Communication and Online Chat

We use email to communicate with customers and other contacts, collecting contact information and the communications themselves for this purpose. Verna also offers online chat with customers through the company's mobile app and website, and collects contact information and the communications themselves in this context.

Verna may act as either a data processor for TM or as a data controller, depending on whether the communication is related to the execution of an insurance contract or not.

Contracts 

For the purpose of making contracts with counterparties, we collect basic information about them.

Verna may act as either a data processor for TM or as a data controller in relation to the above processing, depending on whether it concerns an insurance contract or not.

Invoicing

For the purpose of sending out invoices and collecting payments, we collect basic information about customers along with the invoice amount.

Verna may act as either a data processor for TM or as a data controller in relation to the above processing, depending on whether it concerns the execution of an insurance contract or not.

Customer Records

For the purpose of maintaining a record of current and former customers along with their transaction history, we collect basic information about them.

Additionally, the company collects imagery from surveillance cameras that may contain personal data.

Verna may act as either a data processor for TM or a data controller in relation to the above processing, depending on whether it pertains to the execution of an insurance contract or not.

From whom does Verna collect information about you?

Verna primarily collects personal data directly from the individuals concerned, such as during insurance procurement and claims notifications. The company also relies on public records and information from authorities in its processing. Verna uses the following data services:

The National Registry (Þjóðskrá)

When preparing an offer, Verna obtains information from the National Registry to verify the name, national ID number, family situation, and address of the customer. 

Vehicle Registry

The Icelandic Road and Traffic Authority (Samgöngustofa) is the data controller for the vehicle registry, but Verna has entered into a data processing agreement with the authority, which allows the company to look up information in the registry if a customer wishes to purchase or request an insurance offer from Verna. During the offer preparation process, Verna collects the following information from the vehicle registry:

• Verification of the vehicle registration number.
• Verification of whether the customer is the registered owner, co-owner, or has control of the vehicle.
• Verification of whether the owner/co-owner/controller of the vehicle holds a valid driver's license and when it will next need to be renewed.
• Various technical details about the vehicle, such as make, engine size, color, and age.
• Verification of whether the vehicle has been involved in any accidents.
• Verification of whether the vehicle has been modified.
• Information about the vehicle's most recent inspection and when the next inspection is due.

Verna also shares information with the Road and Traffic Authority if the vehicle is involved in an accident. Furthermore, as a data processor, Verna is required to maintain a record and retain the information provided from the vehicle registry, including the electronic origin of the queries, the name of the individual requesting the information, the specific data items requested, and the information that is returned, for two years.

The Car Database

On behalf of the International Motor Insurance in Iceland (ABÍ), a database known as the Car Database is operated, which tracks vehicle insurance and keeps records of which insurance company insures each vehicle. The Car Database is used to ensure the proper transfer of insurance coverage from one insurance company to another when customers choose to switch insurance providers.

Verna checks the Car Database to determine with which company a vehicle is insured when making an offer for a new insurance policy. Verna also submits data to the Car Database stating that the owner of the vehicle has entered into an agreement with Verna to purchase vehicle insurance with the given company, and that the insurance coverage will be transferred from the current insurer to TM (Tryggingamiðstöðin) from a specified date. Provided that there are no outstanding obligations with the original insurer, the insurance is transferred to Verna at the next month-end.

Claims Database

Creditinfo operates, with the authorization of the Data Protection Authority, a shared claims database for vehicle insurance in Iceland, with the purpose of preventing insurance fraud and overpayment of claims.

Verna, as an agent of TM, directly registers data into the claims database and is the data controller for the data it registers in the database, while Creditinfo is the data processor.

The following information is recorded in the claims database:

• Name of the insurance company
• Vehicle registration number
• Personal identification number (kennitala) of the claim holder
• Case number with the insurance company
• Type of insurance
• Type of claim
• Date of the claim
• Date of registration in the claims database
• Location of the claim
• Unique identifier of the insured, such as the vehicle registration number, etc.

It is prohibited to record information in the claims database regarding specific health details related to bodily injuries.

CABAS Claims Evaluation System

CABAS is a claims evaluation system used by insurance companies and auto repair shops to exchange information about the assessment and repair services of damaged vehicles. The system is owned by the Swedish company CAB Group AB.

The following information is recorded in the CABAS claims evaluation system:

• Vehicle registration number
• Name of the insurance company
• Personal identification number (kennitala) of the claim holder and vehicle owner
• Case number with the insurance company
• Type of insurance
• Date of registration in the system
• Extent of the damage to the vehicle
• Authorization from the insurance company for vehicle repair
• Estimated and actual cost of vehicle repair
• Information on the progress and status of the vehicle repair
• Customer's deductible

Verna directly registers data into the claims database and is the data controller for the data it registers in the database, while Creditinfo is the data processor.

Electronic Identification and Signature

Verna uses services from Dokobit for electronic identification of customers and for electronic signature of documents. Essentially, the electronic credentials of the customers are used to verify the customer's identity during login to the company's mobile app and when signing documents. Electronic credentials are personal identifiers used in the digital world. Identifying oneself with electronic credentials online is equivalent to presenting personal identification documents. Electronic credentials can be used for legally valid signatures, which are equivalent to a physical signature.

Other Service Providers

Through the company's mobile app, Verna offers customers various value-added services, including paying for parking. If a customer chooses to use the service, Verna may need to share personal identifiable information, such as name, personal identification number, and vehicle registration number. Verna is the data controller for the information shared with such service providers who are classified as data processors of personal identifiable information. All such data processors sign a processing agreement with Verna and a confidentiality declaration regarding the protection of personal identifiable information they receive in connection with providing services to Verna's customers.

Whenever and if information is collected from other third parties, the company will make every effort to inform the relevant individuals about this.

Confidentiality and Data Protection

Verna strives to ensure the utmost security in handling personal data. Verna employees sign a confidentiality agreement as part of their employment with the company and are bound by confidentiality regarding the knowledge and tasks they perform for Verna. The obligation of confidentiality applies to employees even after they leave their position at Verna. Breaches of confidentiality may lead to termination and such cases may be referred to the police.

Verna is responsible for the processing of your personal data and is committed to complying with rules regarding the protection and security of the information. Verna's specialists monitor to ensure that customer data is securely protected and does not fall into the hands of anyone other than those who need it to perform their work. Access to data is strictly controlled, so that employees only have access to the data necessary to carry out their duties at Verna.

When does Verna share your personal information with third parties and why?

Verna shares personal information with third parties who are hired by the company to carry out specific tasks, such as service providers, agents, or contractors. In such cases, Verna enters into a data processing agreement with the respective party. This agreement outlines, among other things, the third party's obligation to follow the company's instructions regarding the handling of personal data and prohibits them from using the data for any other purpose. Additionally, they are required to ensure the security of the information in an appropriate manner.

In other cases, it may also be necessary for the company to share personal information with third parties, for example, when there is a legal obligation to do so.

Transfer of personal information outside the European Economic Area

Verna is aware that strict conditions apply to the transfer of personal data to countries outside the European Economic Area. Verna will not transfer such data under any circumstances unless sufficient legal authorization is provided in accordance with the Personal Data Protection and Processing Act No. 90/2018.

Rights of individuals

If individuals have given consent for the processing of specific personal data, they have the right under the Personal Data Protection and Processing Act No. 90/2018 to withdraw their consent at any time. However, this right does not affect the lawfulness of processing that occurred before the consent was withdrawn. Individuals also enjoy other rights, such as the right to be informed about the processing, the right to access their data, the right to have inaccurate or misleading information corrected, the right to have personal data erased, the right to prevent processing of personal data about them, and the right to transfer their own data. It should be noted that these rights are not always unconditional and may be subject to certain conditions.

Contact Information for Verna

Name: Verna MGA ehf.

Address: Ármúla 13, 108 Reykjavík, Iceland

Email: verna@verna.is

Phone: 449 7700

Further Information and Data Protection Officer

If individuals have further questions regarding this privacy policy, they can always contact Verna's data protection officer:

Name: Dattaca Labs Iceland ehf.

Address: Kalkofnsvegur 2, 101 Reykjavík, Iceland

Email: dpo@dattacalabs.com

Phone: 517 3444

Right to Lodge a Complaint with the Data Protection Authority

If you believe that Verna is not processing your personal data in compliance with the Personal Data Protection and Processing Act No. 90/2018, you have the right to lodge a complaint with the Data Protection Authority (Persónuvernd).

Review of this Privacy Policy

This privacy policy may be updated from time to time to reflect changes in relevant laws and regulations or if there are changes in how Verna processes personal data. Any changes made to this privacy policy will be announced on the company’s website, www.verna.is.

Once changes to the privacy policy have been made, they will take effect once the updated version is published.

Last updated in April 2022.