Data protection guidelines according to the EU General Data Protection Regulation for affected persons regarding the carrying out of insurance contracts.

Status: August 2018

With the following information, we are providing you with an overview according to Article 13 Par. 1 of the EU General Data Protection Regulation (GDPR) of the processing of your personal data when carrying out insurance contracts as well as your related rights according to data protection law.

The company itself does not take on new business anymore. A new insurance contract can nevertheless be concluded, for example as part of a legal maintenance settlement or the reactivation of a non-contributory insurance.

Who is responsible for the data processing and who can I contact

The responsible authority according to Article 4 No. 7 GDPR is:

Skandia Lebensversicherung AG (a company of the Viridium Group)
Dornhofstraße 36
63263 Neu-Isenburg

You can contact our data protection officer at:

Skandia Lebensversicherung AG
Data Protection Officer
Dornhofstraße 36
63263 Neu-Isenburg

E-mail address: datenschutz@viridium-gruppe.com

Why we process your data (processing purpose) and on what legal basis

We process your personal data in accordance with the EU General Data Protection Regulation (GDPR), Federal Data Protection Law (BDSG), the specifications of Insurance Contract Law (VVG) relevant for data protection, as well as all further applicable laws.  In addition, our company subscribes to the “Code of conduct for the handling personal data by the German insurance sector”, which obliges the member insurers to comply with comprehensive regulations for data protection and data security, in order to protect the data of customers. You can access these on the Internet here by clicking on it.

We need the details you provide to carry out the insurance contract agreed with you e.g. for issuing or invoicing.   We may need details of the case to check whether an insurance case applies and to what extent.

In addition, we need your personal data to compile insurance-specific statistics, e.g. for developing new tariffs or to fulfil supervisory regulations.  We use the data of all contracts with a life insurance company to consider the overall customer relationship, for example for consultation regarding contract adjustment, additions, for goodwill decisions or comprehensive issuing of information.

The legal basis for this processing of personal data for precontractual and contractual purposes is Article 6 Par. 1 Clause b GDPR.  If special categories of personal data (e.g. your health data for concluding/reissuing a life insurance contract) are required, we ask for your consent according to Article 9 Par. 2 Clause a in conjunction with Art. 7 GDPR.  If we compile statistics with these data categories, it is on the basis of Article 9 Par. 2 Clause j GDPR in conjunction with § 27 BDSG.

We also process your data to uphold our own justified interests or those of third parties (Article 6 Par. 1 Clause a GDPR). This can be required in particular:

• to ensure IT security and IT operation,
• to advertise our own insurance products and for other products of the companies in the Viridium Group and its cooperation partners, as well as for market and opinion surveys,
• to prevent and solve criminal offences, we especially use data analyses to identify indications of insurance misuse.

In addition, we process your personal data to fulfil legal obligations e.g. supervisory regulations, commercial and tax law storage obligations or our consultation obligation.  In this case, the respective legal regulations in accordance with Article 6 Par. 1 Clause c GDPR serve as a legal basis for the processing.

Do I have an obligation to provide data

It is not possible to conclude or carry out the insurance contract without processing your personal data.

Who receives my data

Reinsurers:

We insure risks we assume at special insurance companies (reinsurers).  It may be necessary to transmit your contract and, if applicable, damage data to a reinsurer so that the latter can assess the risk or the insurance case themselves.  Furthermore, it is possible that the reinsurer supports our company in the risk or service assessment, as well as in the evaluation of procedures, due to their particular specialist knowledge.  We transmit your data to the reinsurer only insofar as this is necessary for the fulfilment of our insurance contract with you or to the extent required to uphold our justified interests.  Further information about the reinsurers used is provided at the following links:

• General Reinsurance AG
• Scor Global Life Deutschland
• Swiss RE Europe S.A.

Agents:

If you are dealt with by an agent regarding your insurance contracts, your agent processes the application, contract and damage data required for concluding and carrying out the contract.  Our company also transmits this data to the respective agent, insofar as this information is needed for consultation and the handling of your insurance and financial services matters.

Data processing in the insurance group:

Specialised companies or areas of our insurance group assume certain data processing tasks for the companies included in the group. If there is an insurance contract between you and one of several companies in our group, your data may be processed for the central administration of address data, for customer service by telephone, for contract and service processing, for collection and payment, or for the joint central post processing by a company within the group. At the following link you can find the service provider list of the companies that participate in centralised data processing: Service provider list

External service providers:

To fulfil our contractual and legal duties, we make use in some cases of external service providers.

An overview of the contractors and service providers we use, with which there are not only temporary business relationships, can be found on the current version of the service provider list on our Internet page at the following link: Service provider list

Further recipients:

In addition, we may transmit your personal details to further recipients, such as to authorities for the fulfilment of legal notification duties (e.g. social security providers, financial authorities or law enforcement agencies). Regarding the transmission of data as part of the Common Reporting Standard (CRS) and the Foreign Account Tax Compliance Act (FATCA) to the Federal Central Tax Office (BZSt), you can find further information at the following link.

Is data transmitted to a third country or to an international organisation

If we transmit personal data to service providers outside of the European Union (EU) or the European Economic Area (EEA), transmission only occurs if the third country has been confirmed by the EU Commission as having an appropriate data protection standard or other suitable data protection guarantees (EU standard contract clauses according to Article 46 Par. 2 Clause c GDPR) are available.

How long is my data stored for

We delete your personal data as soon as it is no longer required for the aforementioned purposes. It is possible that personal data is stored for the period in which claims against our company can be made (legal limitation period of three to thirty years).  In addition, we store your personal data insofar as we have a legal obligation to do so.  Relevant verification and storage obligations are stated e.g. in the Commercial Code, Revenue Code and Money Laundering Law.  The storage periods are up to ten years.

What data protection rights do I have

Each affected person has the right to information according to Article 15 GDPR, the right to correction according to Article 16 GDPR, the right to deletion according to Article 17 GDPR, the right to restriction of the processing according to Article 18 GDPR, the right to objection according to Article 21 GDPR, as well as the right to data portability according to Article 20 GDPR.  The restrictions according to §§ 34 and 35 BDSG (Federal Data Protection Law) apply to the right to information and the right to deletion.  If the data processing is on the basis of your consent, you can revoke it at any time with effect for the future according to Article 7 GDPR.

Right to objection

You have the right to object to the processing of your personal data for the purposes of direct advertising.

If we process your data to uphold justified interests, you can object to this processing if reasons emerge in your particular situation that go against the data processing.

Right to complain

You have the right to complain to the aforementioned data protection officer or a data protection supervisory authority.

The responsible data protection authority in our case is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1 
65189 Wiesbaden 

Telefon: +49 611 1408 0
E-Mail: poststelle@datenschutz.hessen.de 
Internet: www.datenschutz.hessen.de  

To what extent is there automated decision-making (including profiling)

We do not use automated decisions in individual cases or profiling.