| || |
Information obligations under Article 13 of the EU General Data Protection Regulation (GDPR)
HanseMerkur Reiseversicherung AG
The data protection officer of the data controller is:
Purpose and legal basis of data processing
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), provisions of the Insurance Contract Act (VVG) and other laws with relevance to data protection. In addition, our company is committed to observing the "Code of Conduct for the Handling of Personal Data by the German Insurance Industry", which adapts the above provisions to the specific needs of the insurance industry. The Code of Conduct can be viewed here. We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), provisions of the Insurance Contract Act (VVG) and other laws with relevance to data protection. In addition, our company is committed to observing the "Code of Conduct for the Handling of Personal Data by the German Insurance Industry", which adapts the above provisions to the specific needs of the insurance industry. The Code of Conduct can be viewed here.
If you submit an application for insurance cover, we will need the information you provide to conclude the contract and to assess the risk associated with providing insurance services to you. Where the insurance contract is concluded, we process this data for the purpose of implementing this contract, e.g. for the purpose of issuing an insurance policy or invoicing. We need information about the claim, for example, to check whether an insured event occurred and to assess the amount of damage.
Without processing your personal data, it would be impossible for us to enter into or implement insurance contracts.
In addition, we may process your personal data to comply with regulatory requirements, to compile insurance statistics or to develop new insurance products and pricing. We use the data from all existing contracts with HanseMerkur to analyse the customer relationship as a whole, to provide for example advice on contract adjustment or supplementation, to make good-will decisions, or to share comprehensive information.
The legal basis for this type of processing of personal data for pre-contractual and contractual purposes is Article 6 (1) (b) GDPR. Insofar as special categories of personal data are required for this purpose (e.g. your health data when concluding a health insurance contract), we will obtain your consent in accordance with Article 9 (2) (a) in conjunction with Article 7 GDPR. We provide you in advance with a template for this purpose here.
Where we use these data categories to compile statistics, this is done in accordance with Art. 9 (2) (j) GDPR in conjunction with Article 27 BDSG.
We also process your data in order to protect our legitimate interests and those of third parties (Article 6 (1) (f) GDPR). This may be necessary, in particular:
In addition, we process your personal data to comply with laws and regulations, e.g. regulatory requirements, statutory retention requirements under commercial or tax laws or our obligation to provide advice. The respective statutory provisions in conjunction with Article 6 (1) (c) GDPR constitute the legal basis for processing in this case.
If we intend to use your personal data for any purpose other than those listed above, we are required under the statutory provisions to notify you in advance.
Categories of recipients of personal data
Data processing within the group:
Third-party service providers
To fulfil our contractual and legal obligations, the individual companies of the HanseMerkur Insurance Group (HanseMerkur Krankenversicherung auf Gegenseitigkeit, HanseMerkur Krankenversicherung AG, HanseMerkur Lebensversicherung AG, HanseMerkur Allgemeine Versicherung AG, HanseMerkur Reiseversicherung AG, HanseMerkur Speziale Krankenversicherung AG) – hereinafter referred to as HanseMerkur – currently work as and when needed with service providers (companies/individuals) using health data and other data protected under Article 203 of the German Criminal Code (StGB). A list of contractors and service providers we use on a long-term basis:
The complete contact details are available upon request.
In addition, HanseMerkur works together with the following entities to collect, process and use health data and other data protected under Article 203 StGB:
In addition, we may have to share your personal data with other recipients, such as government agencies, to meet our statutory reporting obligations (e.g. social security institutions, tax authorities or law enforcement agencies).
Duration of storage
We will delete your personal data as soon as it is no longer needed for the purposes specified above. We may be required to keep the personal data for periods during which claims can be made (statutory limitation periods from three to thirty years). In addition, we store your personal data where we are required to do so by law. The relevant obligations with respect to burden of proof and retention periods are set out in the Commercial Code, Tax Code and the Anti-Money Laundering Act, under which the periods of retention can be up to ten years.
Rights of data subjects
You can request information about the personal data we hold about you by writing to the above address. In addition, under certain circumstances, you may request your data to be rectified or deleted. You are also entitled to restrict the processing of your data and to have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format.
Right to object
You have the right to object to the processing of your personal data for direct marketing purposes. If we process your data to protect legitimate interests, you can object to the processing of data on compelling legitimate grounds relating to your particular situation.
Right to complain
You have the option to complain either to the data protection officer specified above or to a data protection supervisory authority. The data protection supervisory authority responsible for us is:
Hamburg Commissioner for Data Protection and Freedom of Information
Data transmission to a third country
If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will take place only if the EU country is deemed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal data protection rules, or EU standard contractual clauses) are in place.
Automated individual decisions
Based on risk-related information we ask you to provide in your application, we make fully automated decisions, for example, as to whether to enter into a contract or the amount of the insurance premium.
You have the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision.