Tryg’s Privacy and Cookie Notice

Updated December 1 2022

Data controller (‘we’)
Tryg Forsikring A/S, Klausdalsbrovej 601, 2750 Ballerup, Denmark, CVR no. 24260666, (‘we’) is the data controller of the personal data we process.
Tryg Forsikring A/S also includes Alka, TJM, FDM Forsikring and Tryg Garanti.
The purpose of our privacy and cookie notice is that you should feel protected and cared for in relation to how we process your personal data.

Here, you may find information about whom we process data, which data we collect, which sources we collect data from, whom we share the data with and for how long we store the data.

We are bound by confidentiality
We are bound by confidentiality pursuant to the Danish Financial Business Act (Lov om finansiel virksomhed), and we process your personal data
in absolute confidence. The duty of confidentiality also applies internally between our employees. We do not disclose your personal data unless
you have consented to this, or we have another legal basis for such disclosure pursuant to the Danish Financial Business Act and the personal
data protection legislation.

How we process personal data depends on the purpose of our processing activities.

In Part I, you can read about how we process personal data about you when we
A Prepare a quote, effect an insurance policy and otherwise administrate insurance agreements
B Handle claims
C Investigate suspected fraud
D Prepare profiling, statistics and analyses as well as automated decisions
E Market products to you
F Use cookies, are on social media and when you visit our website and those of others
G Observe our obligation to fight money-laundering and financing of terrorism
H Communicate with you on other matters

In Part II, you can read about how we protect your personal data when we
I Communicate by email
J Record telephone conversations with you
K Process your data digitally
L Experience personal data security breaches
M Disclose personal data to other parties
N Transfer data to third countries

In Part III, you can read about your rights as a data subject
O Withdrawal of consent
P Other personal data rights

In Part IV, you can read about how you can contact us and make a complaint


I. How we process personal data about you when we;

A. Prepare a quote, effect an insurance policy and otherwise administrate insurance agreements

When we prepare a quote or enter into an insurance agreement, we process data about the party who takes out the insurance (the
policyholder), see Article 6(1)(b) (necessary for the performance of a contract) of the General Data Protection Regulation, and about other
persons who are covered by or otherwise related to the insurance, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation. If we obtain your civil registration (CPR) number in connection with preparation of a quote or special categories of information, we obtain your consent, see Article 9(2)(a), cf. 6(1)(a) of the General Data Protection Regulation. When you become a customer with us we may process your civil registration (CPR) number without consent, see Section 43(b) of the Danish Financial Business Act (Lov om finansiel virksomhed), cf. Section 11 (2) (i) of the Danish Data Protection Act (Databeskyttelsesloven).

Categories of data subjects in our systems may be:
• The policyholder
• The insured (typically spouses/cohabitants, children and insured under group insurance policies such as health insurance
paid by the employer)
• Beneficiaries
• Representatives/contacts
• The owner/user of an insured item

Categories of personal data we collect and process
We only collect and use data when it is necessary in order to enter into, manage and perform the insurance agreement and to administer
our insurance business. The data we process in connection with quotes and the effectuation of insurance policies will depend on the concrete
type of insurance. We do not request health data in connection with quotes and the effectuation of insurance policies.

Categories of personal data may be:
• Contact details (e.g. name, address, email and telephone number)
• Date of birth and, if necessary, civil registration (CPR) number in order to identify you
• Payment details
• Insurance data about you or the insured item (e.g. employment, registration number, data about your previous similar insurance policies and
claims with other insurance companies)
• Your connection to our business partners and any trade union membership if you take out insurance through a member organisation, bank,
association, employer or other parties with associated discounts and other benefits
• Data about fees due in DFIM (Danish Motor Insurers’ Bureau)
• Our assessment of your customer status and profitability, e.g. how many claims you have made compared to what we expected you would
have
• Information needed in order to determine the price of the insurance, including information from external registers, e.g. BBR
• Driving behaviour (driving score) if you have pay-as-you-drive products with us
• Your cookie ID, unit type/ID (including information sent automatically from your equipment in the form of language setting, IP address and
demographic data) and your behavior on our sites and those of our business partners.

Collection and disclosure of personal data
Sources of data and categories of data recipients may be:
• The policyholder
• The Central Office of Civil Registration (Det Centrale Personregister) (in order to update address and for information about opt-out registration
for unsolicited advertising)
• Virk.dk (in order to update address and for information about opt-out registration for unsolicited advertising for businesses)
• BBR (Central Register of Buildings and Dwellings for information about your property)
• DMR (Digital Motor Register)
• Bilstatistik.dk (information about motor vehicles)
• DFIM (Danish Motor Insurers’ Bureau)
• Other insurance companies
• Business partners, including trade unions, which entitle you to discounts and other benefits
• Business partners and suppliers who assist us in the administration and performance of your insurance agreement e.g..insurance providers, or
where our cooperation and/or your membership or customer relationship entitles you to special advantages (e.g. discounts or the right to
subscribe to Alka Fordele)
• Tryg Garanti and Tryg Invest A/S
• Employers and pension providers (for registration under group insurance policies)
• Representatives and contact persons, including attorneys
• Insurance brokers and reinsurance brokers
• Public authorities

We may disclose your information, provided we are entitled hereto pursuant to Section 117 (1) of the Danish Financial Business Act (Lov om
finansiel virksomhed), cf. Article 6(1), cf. (2), cf. (3) of the General Data Protection Regulation.
In some cases, we obtain data about your insurance policies from your current and previous insurance companies and exchange data with business
partners who entitle you to discounts and other benefits. We request your consent to do so.

Storage
We store personal data for as long as this is necessary for the purpose of our processing activities. This means that we store data during such
period when we can be met by a claim, are obliged to do so pursuant to current legislation (e.g. the Danish Bookkeeping Act (Bogføringsloven)
and financial supervisory legislation) or have another legitimate data storage purpose.

We store quotes to private individuals for up to six months and quotes to sole proprietorships for up to twelve 12 months in cases where you do
not accept the quote. If you take out an insurance policy, we generally base our data storage on the absolute limitation periods laid down in the
Danish Limitations Act (Forældelsesloven) of 10 and 30 years, respectively, from termination of the policy and any supplementary limitation rules
in the event that a subsequent claim is made. We also store the insurance policy for as long as we have registered a claim.

Read about storage of data for statistical and analytical purposes etc. in section D below.

Otherwise administrate insurance agreements – Pay out bonus, administrate elections and the right to vote
As a policyholder with us you are automatically a member of TryghedsGruppen to whom we disclose information in order for them to
administrate your membership. Under certain circumstances members of TryghedsGruppen receive a bonus calculated on the basis of
insurance covers. Also, as a member you may run for and vote at elections in TryghedsGruppen’s board of representatives. In order for
TryghedsGruppen to administrate your membership, we disclose your name, address, policy number, civil registration (CPR) number/CVR
number, account number and bonus amount to be paid out.

Manage non-payment
If you fail to fulfil your payment obligation to us we may report you to credit rating agencies or warning registers in accordance with applicable
law. We may also register in our own systems that you have failed to fulfil your payment obligations or have fallen into arrears with us. This is
subject to a concrete assessment in order to ensure our profitability, see Article 6(1)(f) (legitimate interests) of the General Data Protection
Regulation.


B. Handle claims

When we handle claims under private, business and group insurance policies, we only register personal data necessary to process the claim and
assess the compensation payable under the claim, see Article 6(1)(b) (necessary for the performance of a contract), Article 9(2)(f) (legal claims)
and Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

Categories of data subjects in our systems may be:
• The policyholder
• The insured, e.g. spouse/cohabitant and children or insured under group insurance policies
• Beneficiaries
• The claimant
• The tortfeasor
• Opposing parties
• Witnesses
• Business partners and treatment providers
• Representatives/contact persons
• Attorneys involved in the claim

Categories of personal data we collect and process
During our claims handling, we only process and register the data necessary to assess the claim. This will depend on the specific case.
Categories of personal data may be:
• Contact details (e.g. name, address, email and telephone number)
• Date of birth and, if necessary, civil registration (CPR) number in order to identify you
• Payment details
• Matters pertaining to employment contexts
• Insurance data (on current and previous insurance policies with other insurance companies, about claims, types of claims, details pertaining
to the processing of specific claims, compensations paid, claims documentation and date and reason for a termination)
• Information about the damaged item (e.g. age, purchase price and examination results)
• Events occurred in connection with the damage or injury (e.g. analysis, reconstruction of an accident, loss adjuster’s report and police
reports)
• Date, nature, type and cause etc. of the claim
• Data about health, illness and contacts with health care services
• Salary and social and financial circumstances (needed to calculate compensation)
• Photos, video and sound recordings of the damage or injury
• Your cookie ID, unit type/ID (including information sent automatically from your equipment in the form of language setting, IP address and
demographic data) and your behavior on our sites and those of our business partners.

Collection and disclosure of personal data
We only disclose personal data when this is necessary e.g. to enable us and our business partners to process your claim, when we have a claim
against others as a result of your claim, or if we are legally bound to do so (e.g. reporting to the Danish Customs and Tax Administration (SKAT)
of compensations paid).

Sources of data and categories of data recipients may be:
• The policyholder
• The insured (typically spouses/cohabitants, children and insured under group insurance policies)
• Beneficiaries
• The claimant
• The tortfeasor
• Witnesses and secondary parties
• Business partners and suppliers who assist us in the administration, handling, assessment or repair of the damage, e.g. loss adjusters,
workshops, tradesmen, manufacturers, emergency call centres and carriers
• Treatment providers, e.g. physicians, specialists, dentists, psychologists, physiotherapists etc.
• Danish Labour Market Insurance (Arbejdsmarkedets Erhvervssikring) (AES)
• Public authorities such as municipal authorities, the Danish Customs and Tax Administration (SKAT) and the police
• The Central Office of Civil Registration (Det Centrale Personregister) (in order to update address)
• Boards of appeal, appeals bodies and courts of law
• Patienterstatningen (Patient Compensation Association)
• Other insurance companies, including Sygeforsikringen “danmark” (e.g. in connection with recourse where we collect outstanding amounts
under an insurance policy in another company, or where other insurance companies make claims against us)
• Mortgagees
• Leasing companies
• Buyers of damaged goods (e.g. cars and machines declared total losses)
• Representatives and contact persons including, attorneys
• Other departments in Tryg Forsikring A/S (e.g. in case of exchange of data between workmen’s compensation, liability and accident insurance
concerning the same claim event such as local government documents, information about salary etc.)

We may disclose your information, provided we are entitled hereto pursuant to Section 117 (1) of the Danish Financial Business Act (Lov om
finansiel virksomhed), cf. Article 6(1), cf. (2), cf. (3) of the General Data Protection Regulation, e.g. when we have recourse against other insurance
companies for our payment.

In claims cases, the consent form that you sign contains information about who we may obtain information from and to whom we may disclose
data, subject to your consent. Such parties may include, for example, doctors, hospitals, your current and former municipalities of residence or
other expressly specified recipients.

Storage
We store personal data for as long as this is necessary for the purpose of our processing activities. This means that we store data during such
period when we can be met by a claim, are obliged to do so pursuant to current legislation (e.g. the Danish Bookkeeping Act (Bogføringsloven)
and financial supervisory legislation) or have another legitimate data storage purpose.
As a general rule, we store claims in accordance with the absolute limitation periods of 10 and 30 years, respectively, stipulated in the Danish
Limitations Act (Forældelsesloven), from when the notice of claim was reported as well as any supplementary limitation rules in the event that
the claim is resumed.


C. Investigate suspected fraud


Investigate suspected fraud

We have a legitimate interest in verifying that your claim for compensation is legitimate, and in ensuring that our customers do not pay higher
premiums due to insurance fraud, see Article 6(1)(f) (legitimate interests) and Article 9(2)(f) (legal claims) of the General Data Protection
Regulation.

You can read about our data processing in connection with our investigation of cases of suspected insurance fraud at tryg.dk/om-tryg/forsikringssvindel. We follow the code of conduct of the industry organisation Forsikring & Pension (the Danish Insurance Association). In addition to the data and sources normally forming part of our claims handling, we also obtain current and historical data from publicly accessible sources and open profiles on social media in accordance with the guidelines laid down in the code of conduct.

We continuously screen our customer portfolio to identify cases for investigation of fraud. This may mean that your case is selected for closer
inspection based on a score (profiling). Tryg may also make use of recorded phone conversations relating to unravelling of fraud.

If we find that you have committed insurance fraud against us, we register this in our internal systems to protect our business and thereby also
our other customers from fraud in the future, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

D. Prepare profiling, statistics and analyses as well as automated decisions


Prepare profiling, statistics and analyses
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating
to a natural person, in particular to analyse or predict aspects concerning this person.

Profiling is made by automatically comparing your personal data, e.g. your master data and contact information, information about your job and
household, current and previous insurance coverage, premiums, quotations, information about our earlier contact with you, your address, home,
business, age, claims history, your customer relationship, your affiliation with our business partners, publicly available data (e.g. house data, telephone number and business data) as well as statistical information about the geographical area in which you live, e.g. average income, assets, age, life phase, house type and risk of floods.

We use profiling, for example, when we:
• Calculate or change your prices and terms and give you product recommendations, see Article 6(1)(b) (necessary for the performance of a
contract) of the General Data Protection Regulation.
• Assess whether we can make an automated decision in your case, see Article 6(1)(b) (necessary for the performance of a contract) of the
General Data Protection Regulation.
• Perform marketing and targeted communication, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.
• Assess the risk of fraud in your case, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.
• Build predictive models for, for example, assessment of profitability, pricing, sales and upselling possibilities, churn risk, assessment of risk of fraud, prediction of claim expense etc.

We also use your data for statistics, analyses and predictive models, including profiling, in order to improve our products, services, quotes, advisory services and technical solutions and to manage our insurance business, such as:

• Statistics, analyses and predictive models used for risk management and insurance distribution, e.g. preparing of pricing, insurance tariffs
and renewal prices, product recommendations, monitoring of profitability, general changes in terms of prices and conditions, insurance provisions, solvency and reinsurance. The basis for this is found, among other things, in the rules in the financial supervisory legislation, including the Danish Financial Business Act (Lov om finansiel virksomhed), the Solvency II Regulation and the regulation on product oversight and governance requirements for insurance undertakings and insurance distributors, see Article 6(1)(c) (legal obligation) and Article 9(2)(g) (substantial public interests) of the General Data Protection Regulation as well as Section 10 of the Danish Data Protection Act (Databeskyttelsesloven).
• Statistics, analyses and predictive models for management of our insurance business, including focus on profitability, growth, efficiency, sales and upselling, service and claims handling, new customers and churn of customers and policies, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.
• Other statistics, analyses and predictive models in order to optimise our business, e.g. efforts to investigate fraud, marketing initiatives and
targeted communication, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

Make automated decisions
In certain situations, we make decisions which are based solely on automated processing, including profiling, and which have legal effect or similar significant effect on you, see Article 22 of the General Data Protection Regulation. This means that the processing is made in our systems with no
human involvement. In other words, a rule or an algorithm in our systems calculates and informs you of the result.

Such individual automated decisions are made, when we online:
• Sell an insurance product or provide a quote. The price is calculated by comparing the information you give us in connection with the purchase to our assessment of your risk of claims. The higher/lower the risk of a claim being made during the insurance period, the higher/lower the price of your insurance will be. Factors which may lead to a higher price include, for example, a high risk of personal injury in your job or living in an area where the risk of flooding or burglary is higher than in other places. On the other hand, factors which may lead to a lower price include, for example, having a small house or driving fewer kilometres a year than most other people. If we are unable to provide a quote or sell an insurance product to you online, e.g. because you have had more claims than we would have expected, you will
instead be referred to contacting us for a quote or to buy an insurance product from one of our employees.
• Process your claim. We assess any claim for compensation you may make by comparing the information you provide when reporting the
claim with your insurance coverage, your terms and conditions and your customer relationship in general, including number of claims. We can also provide you with an advance assessment of your cover on a travel insurance. The decision may result in full or partial acceptance of your claim/cover or in a rejection. If your claim cannot be processed automatically, e.g. because we need further information due to the complexity or scope of the claim, or because we are concerned about increased risk of fraud, your claim will be transferred for processing by one of our employees.

The purpose of our automated decisions is to make it possible for you to obtain a quote, buy an insurance product or have your claims handled
quickly and efficiently at any hour of the day, see Article 6(1)(b) (necessary for the performance of a contract), Article 9(2)(f) (legal claims) and
Article 22(2)(a) (necessary for entering into, or performance of, a contract) or Article 22 (2)(c) (consent) of the General Data Protection Regulation.

If your health or trade union information forms part of the automated decision, we ask for your consent, see Article 22(4) of the General Data
Protection Regulation.

If you do not want us to make an automated decision, you can always contact us to request a quote, buy an insurance product or have your claim handled by one of our employees instead.

We regularly check and test our systems and data models to ensure decisions are made on a just, objective and correct basis. You can always contact us if you wish to express your point of view, want an explanation for the decision or wish to contest it.

Storage
We store personal data for as long as this is necessary for the purpose of our processing activities. This means that we store data during such period when we can be met by a claim, are obliged to do so pursuant to current legislation (e.g. the Danish Bookkeeping Act (Bogføringsloven) and the financial supervisory legislation, including the SII Regulation) or have another legitimate reason for storing the data, e.g. to check the accuracy of our data models.


E. Market products and services to you

When we market products and services we may use your personal data to target the marketing. In the case of telephone or mail campaigns we base our processing on our legitimate interest in providing you with relevant marketing, see Article (6)(1)(f) of the General Data Protection Regulation, and in the case of banner and advertisement marketing on our own site and those of our business partners (e.g. news media and social media) we obtain your consent, see Article (6)(1)(a) of the General Data Protection Regulation.
Before marketing our insurance products to you on the phone, we check that you have not declined direct marketing from us or if you are registered on the Robinson list.

Categories of personal data we collect and process:
• Contact information (e.g. name, address, email and phone number)
• Date of birth
• Insurance information about you or the insured object (e.g. which products you have)
• Our assessment of your customer status and profitability
• Your cookie ID, unit type/ID (including information sent automatically from your equipment in the form of language setting, IP address and demographic data) and your behaviour on our sites and those of our business partners.

Collection and disclosure of personal data
Sources of data and categories of data recipients may be:
• The policyholder
• The Central Office of Civil Registration (Det Centrale Personregister) (in order to update address and for information about opt-out
registration for unsolicited advertising)
• BBR (Central Register of Buildings and Dwellings for information about your property)
• DMR (Digital Motor Register)
• Bilstatistik.dk (information about motor vehicles)
• DFIM (Danish Motor Insurers’ Bureau)
• Business partners, including associations, which entitle you to discounts and other benefits
• Business partners and suppliers who assist us in the administration and performance of your insurance agreement e.g. insurance providers, or where our cooperation and/or your membership or customer relationship entitles you to special advantages (e.g. discounts or the right to subscribe to Alka Fordele)
• Employers and pension providers (for registration under group insurance policies)

Disclosure
We may disclose your information to business partners, provided we are entitled hereto pursuant to Section 117 (1) of the Danish Financial
Business Act (Lov om finansiel virksomhed), cf. Article 6(1), cf. (2), cf. (3) of the General Data Protection Regulation as well as Section 13(2-3) of
the Danish Data Protection Act (Databeskyttelsesloven).

We may disclose personal data about you, which we have obtained from publicly available registers such as the telephone directory, DAR, BBR
and the CVR register to our business partners for marketing purposes, see Section 13(2) and (4) of the Danish Data Protection Act (Databeskyttelsesloven) and Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation. Prior to such disclosure, we sort out
some of the information based on selected commercial criteria so that it cannot be concluded that you are a customer with Tryg. We delete any
information which we have received from public registers immediately after passing it on to our business partner, unless you are a customer with
us already.

We may also disclose your personal data (name, telephone, address and email), which we have obtained from publicly available registers, as part
of preparing an insurance quote for you, your registration for our newsletters or which we have in our customer systems. The purpose is to target marketing of our products and services on advertising platforms, e.g. on news media and social media. Our legal basis for disclosing your personal data is our legitimate interest in marketing relevant products and services of interest and relevance to you, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

As a customer with us, you may also be entitled to special discounts and benefits with our business partners. Should you wish to hear more about
these discounts and benefits, we will ask you to give us consent to disclose your contact information to our business partners for this purpose, and they will then contact you. Our legal basis for collecting and disclosing your information is consent, see Section 121 (private customers) and Section 117 (commercial customers) of the Danish Financial Business Act (Lov om finansiel virksomhed) as well as Section 13(1) of the Danish Data Protection Act (Databeskyttelsesloven).

With regard to commercial customers, we may also disclose usual information about the company name and possibly contact data for employees (name, email and possibly a telephone no.) to our financial business partners for the purpose of them marketing their own products and services.
Our legal basis for this is Section 121(3) of the Danish Financial Business Act (Lov om finansiel virksomhed).

We do not disclose your data from public registers to our business partners if you are registered on the Robinson list or have opted out of receiving
direct marketing from us or if you have an unlisted address and/or telephone no.

Storage
We store personal data for as long as this is necessary for the purpose of our processing activities. This means that we store data during such
period when we have an objective purpose to do so, e.g. to be able to check whether you have opted out of receiving direct marketing from us.

You can always object to our direct marketing by contacting us on tel. +45 70 11 20 20.

F Use cookies, are on social media and you visit our websites and those of others


When you visit Tryg’s websites

When you visit Tryg’s websites (tryg.dk, alka.dk, tjm-forsikring.dk, fdm-forsikring.dk, tryggaranti.dk, tryg.com as well as sub domains and underlying web pages relating hereto) we collect information about your cookie ID, unit type/ID (including information sent automatically from your equipment in the form of language setting, IP address and demographic data) which websites and underlying pages relating hereto you see and when. We do this in order to ensure the necessary functionality of the website, create personalised content of the website, prepare statistics of the use of the website and target marketing to you on our website, other websites and social media.

In the cookie banner on our website you consent to which cookies you allow to be applied to your equipment. If you consent to cookies you also consent to the processing of your personal data relating thereto, which is obtained through cookies. Our legal basis for collecting data about your behaviour on our websites and disclosing your personal data to our cookie business partners is consent, see Article 6(1)(a) (consent) of the General Data Protection Regulation.

When you visit other websites and social media
We advertise on websites and social media of third parties. From these websites we may collect and receive data such as your cookie ID, information about which advertisements you have seen and when. We do this in order to be able to target our marketing based on your interests (profiling), in order to measure the effect of our marketing and to prevent that you receive the same advertisement too many times.
We are joint data controller with our third party business partners for the collection and disclosing of information to us. We are separate data controller for our own use of such data. Consent is our legal basis for collection and processing of these data about your behaviour on third party websites for marketing purposes, see Article 6(1)(a) of the General Data Protection Regulation.

Withdrawal of cookie consent
You can always withdraw your consent to cookies at the top of our Privacy and Cookie Notice under ‘Change your cookie consent’ (“Ret dit cookiesamtykke”). However, you cannot block cookies which are necessary (‘necessary cookies’) for the functionality of the website, and these do not require consent. A cookie is also created in order to remember your choice of cookies.

When you have withdrawn your consent to cookies, we no longer collect data from the cookies, which we have set on your device, e.g. your computer, just as we no longer set more cookies. In order to delete the cookies already on your device you need to block and reset cookies in your browser yourself.

Notice, however, if you block or deselect cookies this may result in certain functions and services, which you can then not use as these require the website to remember the choices you make.


G. Observe our obligation to fight money-laundering and financing of terrorism

In order to prevent money-laundering and financing of terrorism Tryg is obligated to collect, process and store certain types of personal data
which is necessary in order to observe and be able to document a customer knowledge procedure executed correctly.

In connection with establishing a business connection with a potential customer, by performing customer due diligence or carrying out any one
transaction for an existing customer, Tryg processes personal data on physical persons such as the customer's managers, the customer’s real
owner(s) or other persons representing or in any way acting on behalf of the customer.

Processed personal data may include names, addresses, phone numbers, emails, information about whether a person is a politically exposed person (PEP) or a relative or close employee to such a person, and all information concerning verification of the identity of and documentation relating to the customer. We can request such data to be confirmed e.g. in the form of a scanned copy of a driving license, a national health service medical card and/or a birth certificate. Where the concerned persons are not Danish or do not reside in Denmark it may be necessary to collect further information.

We process such personal data on the basis of Article 6(1)(c) (legal obligation) of the General Data Protection Regulation. The legal obligation is
stipulated in Section 11 of the Danish Anti-Money Laundering Act (Hvidvaskloven). Under special circumstances special categories of personal
data may also be processed. Such processing will be made on the legal basis of Article 9(2)(g) (substantial public interests), cf. 6(1)(c) (legal obligation) of the General Data Protection Regulation. Where a civil registration (CPR) number is processed this is done on the legal basis of Section 11(2)(1) of the Danish Data Protection Act (Databeskyttelsesloven).

The sources of collection of data will always be the persons in question.

Where a public authority, e.g. the Danish FSA or the Danish Money Laundering Secretariat (Hvidvasksekretariatet) shows an interest in certain
transactions we are, pursuant to the Danish Anti-Money Laundering Act (Hvidvaskloven), obligated to disclose this information to the authorities in question.

Storage
We store your personal data for as long as it is necessary. In accordance with Section 30 of the Danish Anti-Money Laundering Act
(Hvidvaskloven) we do not store your data for more than 5 years (unless other legislation such as e.g. the Danish Bookkeeping Act
(Bogføringsloven) stipulates a longer storage period). The 5-year period begins on the date of termination of the customer relationship or 5
years from the end of one single transaction, depending of which comes first.


H. Communicating with you on other matters

When you contact us with questions about e.g. insurance policies, complaints or if you are a representative or contact of one of our customers, suppliers or business partners, we process your personal data in order to provide you with the correct assistance, advice or service, see Article 6(1)(b) (necessary for the performance of a contract) and Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

Satisfaction surveys
Tryg carries out satisfaction surveys in connection with customer contact on the phone, claims handling and user experience in general. The
purpose of the satisfaction survey is to improve the quality of our claims handling and customer handling as well as to improve Tryg’s products
and digital solutions.

In connection with satisfaction surveys on the phone or online, we process your responses with your telephone number or online identifier (IP address and cookie). We use this data for quality assurance, optimisation of customer satisfaction and training of our employees. Our legal basis for this is our legitimate interest in ensuring satisfied customers and optimisation of our services and products, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

If you have signed up for receiving a newsletter from us, we will store your contact details for this purpose, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

Interviews, market surveys and tests
If you participate in interviews and market surveys about and/or tests of new concepts and product designs, and the like, in order to establish insurance needs and development of new services, products and marketing initiatives (e.g. related to vehicles, health, comfort, housing conditions and measures creating peace of mind) we collect, process and store your answers and data for the development of new insurance products and services or the optimisation hereof. We may also use this data to optimise customer satisfaction and the training of our employees.

When we process non-sensitive personal data in interviews, market surveys and tests our legal basis for doing so is our legitimate interest in improving our products and services, see Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation. When we process special categories of personal data, including data relating to health and trade union affiliation as well as information about criminal offences, our legal basis for doing so is consent, see Article 9(2)(a) (consent) of the General Data Protection Regulation. You may withdraw your consent at any time, for further details see section III. O below.


II. How we protect your personal data when we;


I. Communicate by email

If we send you emails containing your civil registration (CPR) number or sensitive personal data, we encrypt the emails.

Please note that we cannot guarantee confidentiality and use of encryption when you have received the email in your mail server, or when you send emails to us as this will depend on your service provider. We can receive emails with Tunnel Layer Security (TLS) if your provider supports this feature.

It is important that you generally choose a trustworthy and secure provider that supports receiving email with TLS by default. You should also secure your account with a strong password and two-factor login.

Read more about being a digital customer at https://tryg.dk/digital.

J. Record telephone calls with you
We may record our telephone calls with you for the purpose of documentation on the basis of Tryg’s legitimate interest in being able to document what we agree upon with you and what has been said in connection with your claims handling, or for the use in a possible future complaint case, cf. Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation.

We may also record and transcribe our telephone calls with you to improve the quality of the customer service and products in Tryg on the basis of your consent, which you give to us by choosing it on the telephone menu, cf. Article 6(1)(a) (consent) of the General Data Protection Regulation. Improvement of the quality of the customer service and products entail education of and feedback to employees and gaining insight into language-related trends from our conversations with you.

As a rule, we store the recordings for 1 year for the purpose of documentation and 6 months when the purpose is improvement of the quality of the customer service and products in Tryg, after which they are deleted. As a rule, transcribed recordings are deleted after 3 years.

Where, within a year, the conversation with you becomes part of a specific complaint, dispute or other type of case handling, including disclosure for the purpose of insight or limitation, the recording can be stored for as long as it is necessary to solve the case in question. Also, the documentation can be saved pursuant to the rules of the Danish Period of Limitation Act (Forældelsesloven).

K. Process your data digitally
When you fill in a contact form, buy an insurance policy, obtain a quote or report a claim online, we register the data you give us. Your notice of claim will be encrypted. We store the data for as long as is needed in accordance with our general guidelines on data storage.

On ‘My Page’ and ‘My Company’ – your personal self-service universe – you can find information about your current insurance policies and claims.
Read more about being a digital customer at https://tryg.dk/digital. You may be exempted from receiving your mail in the customer portal if you
are exempted from receiving digital mail from the public sector.

If you write to us through the chat function on our website, we register the information you give us to enable us to answer your enquiry. The chat
function is encrypted, and we will delete the conversation after 1 year. We store data that we need in accordance with our general guidelines on
data storage. We recommend that you do not chat with us about matters involving the processing of sensitive personal data but instead call us
on tel. +45 70 11 20 20.

When you use our applications (apps), you can read more about our data processing in the conditions for the respective application that you use.

We would like to point out that if you write to us via social media such as Facebook, Messenger, Twitter or LinkedIn, we cannot encrypt, protect, correct or delete your data. Therefore, we recommend that you call us on tel. +45 70 11 20 20 instead.

Read more about our use of cookies in section F above.

L. Experience personal data security breaches
We are responsible for reporting any data breaches that involve us and our data processors to the Danish Data Protection Agency. Our data processors work under our instructions and are subject to our requirements relating to organisational, technical and security measures.

If we experience a personal data breach, we are, as a rule, obliged to report the breach to the Danish Data Protection Agency within 72 hours
from when we have become aware hereof, in accordance with the personal data protection legislation.

If the personal data breach is likely to result in a high risk to your rights and freedoms, we are also obliged to inform you directly. We will do this by telephone, email, text message, at our website or through the press, depending on the available contact details for the persons affected by
the situation and the seriousness of the data breach.

If you erroneously receive a letter or an email addressed to one of our other customers, you can report this by email to dpo@tryg.dk.

M. Disclose personal data to other parties
We do not disclose your personal data to other parties unless you have given your consent, or we have another legal basis for such disclosure pursuant to the Danish Financial Business Act (Lov om finansiel virksomhed) and the personal data protection legislation.

We disclose personal data when necessary, for example to perform and administrate your insurance agreement, handle your claim, if we have a claim against others in connection with your claim, provide you with marketing or if you wish to use your affiliation with one of our business partners to obtain a discount and other advantages.

Our business partners may act as our extended arm and work under our instructions, and where your data is used exclusively for our purposes
(data processors), or they may act as separate data controllers, just like us. We may also be joint controllers, which means that we and our partners jointly define the purpose and means of processing your personal data.

Among other things, we engage with data processors for the purpose of development, hosting, support and operations.

When we enter into an agreement with a data processor on the processing of your personal data on our behalf, we emphasise the importance of the data processor being able to process your personal data in a secure manner and in accordance with all applicable legislation. We therefore perform a risk assessment of our data processors before entering into an agreement with them and disclosing your personal data to them.

If you have any questions about the rights of data subjects (e.g. your right to access, rectification, erasure etc.). In cases where we are joint data
controllers, you may always approach us for guidance.

When our business partners are separate data controllers, they are obliged to meet your wishes regarding the use of your personal data rights (right to access, rectification, erasure etc.). You may find more information about this in our cookie directory on our website.

N. Transfer data to third countries
We use data processors and sub-processors outside the EU/EEA in connection with technical IT development, hosting, support and operations.
Furthermore, in specific individual cases we may transfer data to countries outside the EU/EEA, e.g. in connection with the handling of your
claim(s).

When we use data processors outside the EU/EEA, we apply the European Commission’s standard data protection clauses or another legal basis
for data transfer, see Articles 45-49 of the General Data Protection Regulation, and we are also obligated to ensure that such organisational and
technical measures are available as are required to ensure protection of the personal data which is disclosed to our data processors in third
countries.


III. Your personal data rights


O. Withdrawal of consent

Your consent may be given orally and/or in writing.

If the processing of your personal data is based on your consent, you have the right to withdraw your consent. This means that, going forward, we will stop processing your data based on your consent. Your withdrawal of consent will not affect the legality of the data processing we have performed before you withdrew your consent. Also, your withdrawal of consent will only apply to data which we have processed based on your consent but not to any data which we process on other legal grounds such as Article 6(1)(b) (necessary for the performance of a contract) of the General Data Protection Regulation.

You can withdraw your consent by calling us on tel. +45 70 11 20 20 or by contacting the Tryg department that originally obtained your consent.

Withdrawal of your consent to cookies and the processing of your personal data relating thereto, see section I. F above.

P. Other personal data rights
When we process your personal data, you have a number of rights.

You have the right to obtain access to the personal data we process about you.

You have the right to rectification, i.e. to have inaccurate personal data about you corrected or your incomplete data supplemented with further data if this will make your personal data more complete or up to date. You can always change your master data on ‘My Page’ and ‘My Company’ at www.tryg.dk.

You have the right to erasure, which means that, in certain cases, you have the right to have personal data about you deleted before such point in time when we generally delete such data.

You have the right to restriction of processing of your personal data. This means that, in certain cases, you have the right to demand that, in the
future, your personal data will only be processed – with the exception of storage – with your consent, or for the establishment, exercise or defence
of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

You have the right to object to the processing of your personal data in certain cases. This means that you have the right to object to our otherwise
lawful processing of your personal data.

On grounds relating to your particular situation, you may object to our processing of your data based on Article 6(1)(f) (legitimate interests) of
the General Data Protection Regulation. This will be the case if

• we record a telephone conversation with you for the purpose of documentation
• we process your data under an insurance policy or in connection with a claim without you having entered into an insurance
agreement with us or without it being necessary for the assessment of a claim, e.g. if you are registered as a relative of a policyholder
• we use your data for statistics, analyses and predictive models in order to improve our business model without being under a legal
obligation to do so or without it being done to safeguard substantial public interests
• we use your data to assess the risk of fraud
• we use your data to target our communications, or
• we log your data to protect our systems.

You always have the right to object to the processing, including the profiling, of your personal data for direct marketing purposes.

You have the right to human intervention in connection with automated decision-making. This may, for example, be the case if you have received a quote or taken out an insurance policy online, or if you submit a claim digitally, and where our price and assessment of our insurance cover or the compensation to be paid are based on an automated decision.

You have the right to talk to us if you want us to explain our decision
or if you wish to contest it.

You have the right to data portability, which means that you have the right to receive the personal data you have given us in a structured, commonly used and machine-readable format and to have this data transmitted to another insurance company.

You can read more about your rights in the guidance of the Danish Data Protection Agency (Datatilsynet) on the rights of data subjects, which
guidance you will find on www.datatilsynet.dk.

We store documentation showing that we have granted or rejected your request to exercise one of your personal data rights for 5 years.


IV. How to contact us or make a complaint

Tryg Forsikring A/S
Klausdalsbrovej 601
DK-2750 Ballerup

If you have any further questions about how we process your personal data, or if you wish to exercise your personal data rights, you can always contact us on www.tryg.dk or call us on our main number +45 70 11 20 20, where you will be put through to the department responsible for handling your question.

If you wish to make a complaint about our processing of your personal data, you can send an email to kvalitet@tryg.dk.

You can also write to our Data Protection Officer at
dpo@tryg.dk.

The Danish Data Protection Agency is the supervisory authority responsible for monitoring compliance with personal data protection legislation in Denmark. You can complain to the Danish Data Protection Agency at Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby
(www.datatilsynet.dk).

We hope you will contact us first so we can help you assess any complaint you may wish to make and clarify and remedy any misunderstandings.