Information obligations under Article 13 of the EU General Data Protection Regulation (GDPR)

Quick access

The purpose of this privacy policy is to inform you as insurance customer or stakeholder about the processing of your personal data by HanseMerkur and your rights under data protection laws and regulations.

HanseMerkur Reiseversicherung AG
Postfach
20352 Hamburg
Tel.: +49 40 4119-1919
Fax: +49 40 4119-3040
E-Mal: reiseinfo@hansemerkur.de

The data protection officer of the data controller is:
Mr Thomas Prigge
To contact the data protection officer, please use the above address or send an email to:
datenschutz@hansemerkur.de.

Purpose and legal basis of data processing

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), provisions of the Insurance Contract Act (VVG) and other laws with relevance to data protection. In addition, our company is committed to observing the "Code of Conduct for the Handling of Personal Data by the German Insurance Industry", which adapts the above provisions to the specific needs of the insurance industry. The Code of Conduct can be viewed here. We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), provisions of the Insurance Contract Act (VVG) and other laws with relevance to data protection. In addition, our company is committed to observing the "Code of Conduct for the Handling of Personal Data by the German Insurance Industry", which adapts the above provisions to the specific needs of the insurance industry. The Code of Conduct can be viewed here.

If you submit an application for insurance cover, we will need the information you provide to conclude the contract and to assess the risk associated with providing insurance services to you. Where the insurance contract is concluded, we process this data for the purpose of implementing this contract, e.g. for the purpose of issuing an insurance policy or invoicing. We need information about the claim, for example, to check whether an insured event occurred and to assess the amount of damage.

Without processing your personal data, it would be impossible for us to enter into or implement insurance contracts.

In addition, we may process your personal data to comply with regulatory requirements, to compile insurance statistics or to develop new insurance products and pricing. We use the data from all existing contracts with HanseMerkur to analyse the customer relationship as a whole, to provide for example advice on contract adjustment or supplementation, to make good-will decisions, or to share comprehensive information.

The legal basis for this type of processing of personal data for pre-contractual and contractual purposes is Article 6 (1) (b) GDPR. Insofar as special categories of personal data are required for this purpose (e.g. your health data when concluding a health insurance contract), we will obtain your consent in accordance with Article 9 (2) (a) in conjunction with Article 7 GDPR. We provide you in advance with a template for this purpose here.

Where we use these data categories to compile statistics, this is done in accordance with Art. 9 (2) (j) GDPR in conjunction with Article 27 BDSG.

We also process your data in order to protect our legitimate interests and those of third parties (Article 6 (1) (f) GDPR). This may be necessary, in particular:

to ensure IT security and to protect IT operations,
to promote our own insurance products and other products of the companies belonging to the HanseMerkur Group and their cooperation partners as well as to conduct market surveys and opinion polls,
to prevent and investigate criminal offences, and in particular to identify clues that point towards insurance fraud.

In addition, we process your personal data to comply with laws and regulations, e.g. regulatory requirements, statutory retention requirements under commercial or tax laws or our obligation to provide advice. The respective statutory provisions in conjunction with Article 6 (1) (c) GDPR constitute the legal basis for processing in this case.

If we intend to use your personal data for any purpose other than those listed above, we are required under the statutory provisions to notify you in advance.

Categories of recipients of personal data

Reinsurance companies

We also insure risks assumed by us with specialised insurance companies (reinsurers). To do this, we may have to share your contract or claims data with the reinsurer, to allow them to form their own opinion about the risk or the insured event. It is also possible that the reinsurer will support our company based on its expertise in assessing the risk and the eligibility for benefits and in the evaluation of procedures. We will transmit your data to the reinsurer only if this is necessary to implement the insurance contract with you or lies within the scope required to safeguard our legitimate interests.

Insurance intermediaries

If you use an insurance intermediary to arrange insurance cover for you, the insurance intermediary will process the application, contract and claims data required to conclude and implement the contract. We will provide the insurance intermediary with your personal data to the extent that the intermediary needs this information to provide you with assistance and advice in insurance or financial services-related matters.

Data processing within the group

Some data processing tasks are performed centrally by specialised companies or departments within our group for companies economically or organisationally affiliated within the group. If you have an insurance contract with one or more companies in our group, your data may be centrally managed by one company within the group, e.g. involving the central administration of address data, telephone customer service, contract and service processing, collection and payments or common mail processing. Our list of service providers lists the companies involved in centralised data processing

Third-party service providers

To fulfil our contractual and legal obligations, the individual companies of the HanseMerkur Insurance Group (HanseMerkur Krankenversicherung auf Gegenseitigkeit, HanseMerkur Krankenversicherung AG, HanseMerkur Lebensversicherung AG, HanseMerkur Allgemeine Versicherung AG, HanseMerkur Reiseversicherung AG, HanseMerkur Speziale Krankenversicherung AG) – hereinafter referred to as HanseMerkur – currently work as and when needed with service providers (companies/individuals) using health data and other data protected under Article 203 of the German Criminal Code (StGB). A list of contractors and service providers we use on a long-term basis:

Persons and entities	Activities
H.B.C. Hanse Betreuungscenter GmbH	Telephone customer service
Roland Assistance GmbH	Assistance services
call us Assistance International GmbH	Assistance services
IMA Deutschland GmbH	Assistance services
IMA Iberica Asistencia	Assistance services
MD Medicus Assistance Service GmbH	Assistance services
Insurance Warehouse Gesellschaft für Finanzdienstleistungen GmbH	Portfolio management in the field of travel insurance
Deutsche Assistance Service GmbH	Assistance services
Eurocross Assistance Netherlands B. V.	Assistance services
ISON Care Sp. z o.o.	Assistance services
PAV Card GmbH	Printing and inserting services
AWS (Amazon Web Services)	Service for converting the data (insurance policy) into an appropriate Apple/Google format for storage at the user's premises.

The complete contact details are available upon request.

In addition, HanseMerkur works together with the following entities to collect, process and use health data and other data protected under Article 203 StGB:

Persons and entities	Activities
Doctors, psychologists, psychiatrists, reinsurers	Appraisers and experts
Legal practitioners	General service in justified individual cases
External IT service providers	Application development and provision of technical resources
Letter shops	Mailing campaigns
Detective agencies	Fraud prevention measures in justified individual cases
Debt collection companies	Legal dunning proceedings, debt collection

Duration of storage

We will delete your personal data as soon as it is no longer needed for the purposes specified above. We may be required to keep the personal data for periods during which claims can be made (statutory limitation periods from three to thirty years). In addition, we store your personal data where we are required to do so by law. The relevant obligations with respect to burden of proof and retention periods are set out in the Commercial Code, Tax Code and the Anti-Money Laundering Act, under which the periods of retention can be up to ten years.

Rights

Rights of data subjects

You can request information about the personal data we hold about you by writing to the above address. In addition, under certain circumstances, you may request your data to be rectified or deleted. You are also entitled to restrict the processing of your data and to have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format.

Right to object

You have the right to object to the processing of your personal data for direct marketing purposes. If we process your data to protect legitimate interests, you can object to the processing of data on compelling legitimate grounds relating to your particular situation.

Right to complain

You have the option to complain either to the data protection officer specified above or to a data protection supervisory authority. The data protection supervisory authority responsible for us is:

Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22,
20459 Hamburg

Data transmission to a third country

If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will take place only if the EU country is deemed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal data protection rules, or EU standard contractual clauses) are in place.

Automated individual decisions

Based on risk-related information we ask you to provide in your application, we make fully automated decisions, for example, as to whether to enter into a contract or the amount of the insurance premium.

You have the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision.