With this information, we would like to inform you as an insurance customer or involved party about the processing of your personal data by HanseMerkur and the rights to which you are entitled under data protection law.
HanseMerkur Reiseversicherung AG
Postfach
20352 Hamburg
Telephone: 040 4119 - 1919
Fax: 040 4119 - 3040
Email: reiseinfo@hansemerkur.de
The data protection officer of the data controller is:
Mr. Thomas Prigge
Please use the above address to contact us or send an email to: datenschutz@hansemerkur.de
Purposes and legal bases of data processing
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the provisions of the Insurance Contract Act (VVG) relevant to data protection law and all other relevant laws. Furthermore, our company has committed to the rules of conduct for the handling of personal data established by the German insurance industry, which specify the above-mentioned laws for the insurance industry.
If you file an application for insurance cover, we require the information provided by you for the conclusion of the contract and to assess the risk to be assumed by us. If the insurance contract is concluded, we process this data to implement the contractual relationship, e.g. for issuing the policy or for invoicing. We need information about the claim, for example, to check whether an insured event occurred and to assess the amount of damage.
The conclusion and/or the execution of the insurance contract is not possible without processing your personal data.
In addition, we require your personal data to compile insurance statistics, e.g. to develop new tariffs or to comply with regulatory requirements. We use the data from all existing contracts with HanseMerkur to analyse the customer relationship as a whole, to provide for example advice on contract adjustment or supplementation, to make goodwill decisions, or to share comprehensive information.
The legal basis for this processing of personal data for pre-contractual and contractual purposes is Art. 6 (1) b) GDPR. If special categories of personal data (e.g. your health data when concluding a health insurance contract) are required for this purpose, we obtain your consent in accordance with Art. 9 (2) lit. a in conjunction with Art. 7 GDPR. For this purpose, we provide you with the declaration as a sample
If you are involved in the processing of an insurance claim (e.g. as an injured party or claimant), the insurance company managing the contract will generally be responsible for processing your personal data. We collect and store information about you and, if applicable, about an insurance claim or loss reported to us in order to be able to check whether an insured event has occurred and to be able to pay the insurance benefit to the entitled claimant. The collection and processing of your personal data by us is based on the legal basis of Art. 6 (1) lit. f GDPR and is necessary to safeguard our legitimate interest in the execution and processing of the insurance contract, in particular for the verification and processing of your benefit claims.
If we compile statistics with these data categories, this is done on the basis of Art. 9 (2) lit. j GDPR in conjunction with Section 27 German Federal Data Protection Act (BDSG).
We also process your data in order to safeguard our legitimate interests or those of third parties (Art. 6(1) lit. f GDPR). This can be necessary in particular:
- to ensure information security, in particular the protection goals of confidentiality, integrity and availability, as well as to ensure IT operations and carry out necessary IT tests. We also monitor the data processing systems to ensure their availability and document system errors so that they can be analysed and corrected.
- for advertising our own insurance products and other products of the companies of the HanseMerkur Group and of cooperation partners, as well as for market and opinion surveys,
- to prevent and investigate criminal offences; in particular, we use data analyses to identify clues that could point towards insurance fraud.
- for risk management within the respective company and the HanseMerkur Insurance Group as a whole.
- for business management, further development of processes and services, in particular issue recognition and processing. Digital assistance systems are also used here to support the tasks at hand. The assistance systems are also trained and further improved in the process.
In addition, we process your personal data to fulfil legal obligations such as regulatory requirements, commercial and tax retention obligations or our duty to provide advice. The respective statutory provisions in conjunction with Article 6 (1) lit. c GDPR constitute the legal basis for processing in this case.
If we should wish to process your personal data for a reason not given above, we will inform you of this beforehand pursuant to the statutory provisions.
Categories of personal data recipient
Reinsurers:
We also insure risks assumed by us with special insurance companies (reinsurers). For this purpose, it may be necessary to transmit your contract and, if applicable, claims data to a reinsurer so that they can form their own picture of the risk or the insured event. It is also possible that the reinsurer will support our company based on its expertise in assessing the risk and the eligibility for benefits, and in the evaluation of procedures. We only transfer your data to the reinsurer if this is necessary for the performance of our insurance contract with you or to the extent required to protect our legitimate interests.
Further information on the reinsurer used is available on our website at www.hansemerkur.de/datenschutz/information You can also request this information using the contact details above.
Intermediary:
Insofar as you are looked after by an intermediary with regard to your insurance contracts, your intermediary processes the application, contract and claims data required for the conclusion and implementation of the contract. We will provide the insurance intermediary with your personal data to the extent that the intermediary needs this information to provide you with assistance and advice in insurance or financial services-related matters.
Data processing in the group of companies:
Specialised companies or divisions of our group of companies perform certain data processing tasks centrally for the companies affiliated in the group. If there is an insurance contract between you and one or more companies of our group, your data can be processed, for instance, for the central administration of address data, for telephone customer service, for contract and benefits handling, for collections and disbursements or for joint processing of the mail in centralised form by a company of the group. In our service provider list, you will find the companies that participate in centralised data processing.
In this context, there is joint responsibility in accordance with Art. 26 GDPR.
Companies of the HanseMerkur Insurance Group that use master data in joint IT procedures:
HanseMerkur Krankenversicherung AG, HanseMerkur Lebensversicherung AG, HanseMerkur Reiseversicherung AG, HanseMerkur Allgemeine Versicherung AG, HanseMerkur Speziale Krankenversicherung AG, Advigon Versicherung AG, BD24 Berlin Direkt Versicherung AG, HanseMerkur International AG.
External service providers
To fulfil our contractual and legal obligations, the individual companies of the HanseMerkur Insurance Group (HanseMerkur Krankenversicherung auf Gegenseitigkeit, HanseMerkur Krankenversicherung AG, HanseMerkur Lebensversicherung AG, HanseMerkur Allgemeine Versicherung AG, HanseMerkur Reiseversicherung AG, HanseMerkur Speziale Krankenversicherung AG) – hereinafter referred to as HanseMerkur – currently work as and when needed with service providers (companies/individuals) using health data and other data protected under Article 203 of the German Criminal Code (StGB). A list of the contractors and service providers we use with whom we have more than temporary business relationships can be found in the table:
| Persons and entities | Activities |
Call us Assistance International GmbH | Assistance services |
Deutsche Assistance Service GmbH | Assistance services |
DPePS Deutsche Post E-Post Solution GmbH | Incoming mail processing |
Eurocross Assistance Netherlands B.V. | Assistance services |
GlobalExcel | Cost containment (USA) |
H.B.C. Hanse Betreuungscenter GmbH | Telephone customer service |
ISON Care SP. z.o.o. | Assistance services and claims processing |
Malteser Hilfsdienst GmbH | Assistance services |
MD Medicus Assistance Service GmbH | Assistance services, medical hotline, portfolio and claims processing |
MedCare | Cost containment (USA) |
PAV GmbH | Printing and enveloping services |
Prestima (IMA IBERICA) | Assistance services and claims processing |
Intermediary companies with extended tasks (underwriting agents) | Risk assessment, contract administration, customer care, settlement |
We will be happy to provide you with the full contact details on request.
In addition, HanseMerkur also works with the following bodies as required, which collect, process and use health data and other data protected under Section 203 of the German Criminal Code (StGB):
| Persons and entities | Activities |
Doctors, reinsurers, experts | Appraisers and experts |
Detective agencies | Occasion-related fraud prevention in justified individual cases |
External IT service providers | Application development and provision of technical resources, e.g. conversion of data (insurance policy) for use in a wallet |
Letter shops | Mailing campaigns |
Debt collection companies | Judicial dunning procedure, debt collection |
Lawyers | General services in justified cases |
Service agencies | Offices abroad without portfolio/claims processing |
Translation agencies | General services |
Other recipients
In addition, we may transmit your personal data to further recipients, such as authorities in order to meet statutory disclosure requirements (e.g. social insurance agencies, financial authorities or law enforcement authorities).
Duration of data storage
We will delete your personal data as soon as it is no longer required for the above-mentioned purposes. In this context, personal data may be retained for the time during which claims may be asserted against our company (statutory limitation period of 3 or up to 30 years). Moreover, we save your personal data if we are obligated to do so by law. Corresponding obligations to provide supporting documents as well as retention requirements arise, in particular, from the German Commercial Code (HGB), the Tax Code (AO) and the Anti-Money Laundering Act (GwG). The storage periods are then up to 10 years.
Data subjects' rights
You can request information about the data stored about you at the above address. Furthermore, under certain conditions, you may also request that your data be rectified or erased. You may also have a right to restrict the processing of your data and a right to receive the data you have provided in a structured, commonly used and machine-readable format.
Right of objection
You have the right to object to the processing of your personal data for direct advertising purposes. If we process your data to safeguard justified interests, you can object to this processing if reasons result from your special situation that argues against data processing.
Right to lodge a complaint
You have the option of filing an appeal with the data protection officer named above or with a data protection supervisory authority. The data protection supervisory authority responsible for us is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Klosterwall 6,
20095 Hamburg
Data transfer to a third country
If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will take place only if the third country is deemed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal data protection rules, or EU standard contractual clauses) have been put in place.
Automated individual case decisions
Where we use automated processes, digital assistance systems and artificial intelligence, this is generally done to improve our internal processes and to supplement our efforts to combat fraud.
A human employee is usually involved in the processes and decisions. In some situations, however, processes are also automated to ensure fast and efficient handling. This applies in particular to automatic invoice verification and automated input management for issue recognition and processing.
Based on the information you provide about risk, which we ask you for when you submit your application, we may make fully automated decisions about the conclusion of the contract, possible risk exclusions or the amount of the insurance premium you have to pay. If an application is rejected on the basis of an automated check, we will inform you of this.
Based on the information you provide about the insured event, the data stored in relation to the contract concerned and, where applicable, information received from third parties, we may also decide on our obligation to pay benefits in a fully automated manner. Automated decisions regarding your claims for insurance benefits are based on the contractual agreements made with you, such as the insurance contract and the General Insurance Conditions, as well as on the application of binding remuneration regulations, such as the fee regulations for doctors (GOÄ), dentists (GOZ), alternative practitioners (GebüH) or the Hospital Remuneration Act and the Federal Nursing Care Rate Ordinance. In order to assess the scope of your benefits, we also take into account the health data we have processed about you.
If we make automated decisions in individual cases, you naturally have the right to obtain the intervention of a person on the part of the controller, to express your own point of view and to contest this decision.