The purpose of the following is to inform you as Customer or Stakeholder about the processing of your Personal Data by HanseMerkur and your rights under the Data Protection Laws and Regulations:
Data Protection Officer: Mr Thomas Prigge
Phone: +49 40 4119 19 19
Fax: +49 40 4119 30 40
Purpose and Legal Basis of Data Processing
We process your Personal Data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), provisions of the Insurance Contract Act (VVG) and other laws with relevance to Data Protection. In addition, our company is committed to observing the “Code of Conduct for the Handling of Personal Data by the German Insurance Industry”, which adapts the above provisions to the specific needs of the insurance industry.
If you submit an application for insurance cover, we will need the information you provide to conclude the contract and to assess the risk associated with providing insurance services to you. Where the insurance contract is concluded, we process this data for the purpose of implementing this contract, e.g. for the purpose of issuing an insurance policy or invoicing. We need information about the claim, for example, to check whether an insured event occurred and to assess the claim.
Without processing your personal data, it would be impossible for us to enter into or implement insurance contracts.
In addition, we may process your personal data to comply with regulatory requirements, to compile insurance statistics or to develop new insurance products and pricing. We use the data from all existing contracts with HanseMerkur to analyse the customer relationship as a whole, to provide for example advice on contract adjustments, to make goodwill decisions, or to share comprehensive information.
The legal basis for this type of processing of personal data for pre-contractual and contractual purposes is Article 6 (1) (b) GDPR. Insofar as special categories of personal data are required for this purpose (e.g. your health data when concluding a health insurance contract), we will obtain your consent in accordance with Article 9 (2) (a) in conjunction with Article 7 GDPR.
Where we use these data categories to compile statistics, this is done in accordance with Art. 9 (2) (j) GDPR in conjunction with Article 27 BDSG.
We also process your data in order to protect our legitimate interests and those of third parties (Article 6 (1) (f) GDPR). This may be necessary, in particular:
To ensure IT security and to protect IT operations, to promote our own insurance products and other products of the companies belonging to the HanseMerkur Group and their cooperation partners as well as to conduct market surveys and opinion polls, to prevent and investigate criminal offences, and in particular to identify clues that point towards insurance fraud.
In addition, we process your personal data to comply with laws and regulations, e.g. regulatory requirements, statutory retention requirements under commercial or tax laws or our obligation to provide advice. The respective statutory provisions in conjunction with Article 6 (1) (c) GDPR constitute the legal basis for processing in this case.
If we intend to use your personal data for any purpose other than those listed above, we are required under the statutory provisions to notify you in advance.
Categories of recipients of personal data
We also insure risks assumed by us with specialised insurance companies (reinsurers). To do this, we may have to share your contract or claims data with the reinsurer, to allow them to form their own opinion about the risk or the insured event. It is also possible that the reinsurer will support our company based on its expertise in assessing the risk and the eligibility for benefits and in the evaluation of procedures. We will transmit your data to the reinsurer only if this is necessary to implement the insurance contract with you or lies within the scope required to safeguard our legitimate interests.
If you use an insurance intermediary to arrange insurance cover for you, the insurance intermediary will process the application, contract and claims data required to conclude and implement the contract. We will provide the insurance intermediary with your personal data to the extent that the intermediary needs this information to provide you with assistance and advice in insurance or financial services-related matters.
Data processing within the group
Some data processing tasks are performed centrally by specialised companies or departments within our group of companies economically or organisationally affiliated within the group. If you have an insurance contract with one or more companies in our group, your data may be centrally managed by one company within the group, e.g. involving the central administration of address data, telephone customer service, contract and service processing, collection and payments or common mail processing.
Third-party service providers
To fulfil our contractual and legal obligations, the individual companies of the HanseMerkur Insurance Group currently work as and when needed with service providers (companies/individuals) using health data and other data protected under Article 203 of the German Criminal Code (StGB).
In addition, we may have to share your personal data with other recipients, such as government agencies, to meet our statutory reporting obligations (e.g. social security institutions, tax authorities or law enforcement agencies).
Duration of storage
We will delete your personal data as soon as it is no longer needed for the purposes specified above. We may be required to keep the personal data for periods during which claims can be made (statutory limitation periods from three to thirty years). In addition, we store your personal data where we are required to do so by law. The relevant obligations with respect to burden of proof and retention periods are set out in the Commercial Code, Tax Code and the Anti-Money Laundering Act, under which the periods of retention can be up to ten years.
Rights of data subjects
You can request information about the personal data we hold about you by writing to the above address. In addition, under certain circumstances, you may request your data to be rectified or deleted. You are also entitled to restrict the processing of your data and to have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format.
Right to object
You have the right to object to the processing of your personal data for direct marketing purposes. If we process your data to protect legitimate interests, you can object to the processing of data on compelling legitimate grounds relating to your particular situation.
Right to complain
You have the option to complain either to the Data Protection Officer specified above or to a Data Protection Supervisory Authority. The data protection supervisory authority responsible for us is:
Hamburg Commissioner for Data Protection and Freedom of Information
Klosterwall 6, 20095 Hamburg
Data transmission to a third country
If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will take place only if the EU country is deemed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal data protection rules, or EU standard contractual clauses) are in place.