The purpose of the following is to inform you, as a customer or stakeholder, about the processing of your personal data by HanseMerkur and your rights under data protection laws and regulations.

E-Mail: datenschutz@hansemerkur.de

HanseMerkur Group
Siegfried-Wedells-Platz 1
20354 Hamburg
Phone: +49 40 4119 19 19
Fax: +49 40 4119 30 40
E-Mail: reiseinfo@hansemerkur.de

Purpose and Legal Basis of Data Processing

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the provisions of the Insurance Contract Act (VVG), and other relevant laws concerning data protection. Furthermore, our company is committed to adhering to the “Code of Conduct for the Handling of Personal Data by the German Insurance Industry,” which tailors these provisions to the specific needs of the insurance sector.

When you submit an application for insurance coverage, we require the information you provide to conclude the contract and assess the risk associated with offering you insurance services. Once the insurance contract is concluded, we will process this data to implement the contract, such as issuing an insurance policy or invoicing. We require information about any claims to determine if an insured event has occurred and to evaluate the claim.

Without processing your personal data, it would be impossible for us to enter into or fulfil insurance contracts.

Additionally, we may process your personal data to meet regulatory requirements, compile insurance statistics, or develop new insurance products and pricing. We use the data from all existing contracts with HanseMerkur to analyse the overall customer relationship, allowing us to provide advice on contract adjustments, make goodwill decisions, or share comprehensive information.

The legal basis for processing personal data for pre-contractual and contractual purposes is Article 6 (1) (b) GDPR. If special categories of personal data are necessary for this purpose (e.g., your health data when concluding a health insurance contract), we will obtain your consent in line with Article 9 (2) (a) in conjunction with Article 7 GDPR.

When we compile statistics using these categories of data, this is done in accordance with Article 9 (2) (j) GDPR in conjunction with Article 27 BDSG.

We also process your data to protect our legitimate interests and those of third parties (Article 6 (1) (f) GDPR). This may be necessary particularly for:

• Ensuring IT security and protecting our IT operations
• Promoting our own insurance products and those of companies within the HanseMerkur Group and their partners
• Conducting market research and opinion polls
• Preventing and investigating criminal offences, especially to identify signs of insurance fraud

Moreover, we process your personal data to comply with laws and regulations, such as regulatory requirements, statutory retention obligations under commercial or tax laws, or our duty to provide advice. The relevant statutory provisions in conjunction with Article 6 (1) (c) GDPR serve as the legal basis for processing in these instances.

If we intend to use your personal data for any purpose other than those mentioned above, we are obligated under statutory provisions to notify you in advance.

Categories of recipients of personal data

Reinsurance Companies
We also insure risks undertaken by us with specialised insurance companies (reinsurers). To facilitate this, we may need to share your contract or claims data with the reinsurer, allowing them to form their own assessment of the risk or the insured event. It is also possible that the reinsurer will provide our company with support based on their expertise in evaluating the risk, determining eligibility for benefits, and assessing procedures. We will transmit your data to the reinsurer only if this is necessary to implement the insurance contract with you or falls within what is required to protect our legitimate interests.

Insurance Intermediaries
If you use an insurance intermediary to arrange your insurance coverage, the intermediary will process the application, contract, and claims data needed to conclude and implement the contract. We will provide the insurance intermediary with your personal data to the extent necessary for them to assist and advise you in matters related to insurance or financial services.

Data Processing within the Group
Certain data processing tasks are carried out centrally by specialised companies or departments within our economically or organisationally affiliated group of companies. If you have an insurance contract with one or more companies in our group, your data may be centrally managed by one company within the group, which may involve central administration of address data, telephone customer service, contract and service processing, collections and payments, or shared mail processing.

Third-Party Service Providers
To fulfil our contractual and legal obligations, the individual companies of the HanseMerkur Insurance Group may engage service providers (companies or individuals) as needed, who will use health data and other information protected under Article 203 of the German Criminal Code (StGB).