HDI Global SE is a non-life insurer with its registered office in Germany. In the Netherlands, it operates from its branch office HDI Global SE, the Netherlands. Furthermore, it operates from its subsidiary HDI-Gerling Verzekeringen N.V. In the Netherlands, HDI Global SE, the Netherlands and HDI-Gerling Verzekeringen N.V. operate under the trade name HDI. HDI processes personal data and other types of data. HDI attaches great value to the protection of your privacy. Your personal data are therefore handled with care. Below, we will inform you of the processing of your personal data by HDI-Gerling Verzekeringen N.V. and HDI Global SE, the Netherlands, and the rights you have under applicable privacy legislation.
2. Controller in the Netherlands
HDI Global SE, the Netherlands / HDI-Gerling Verzekeringen N.V.
3012 KL Rotterdam
T. +31 (0)10 4036100
You can also contact our Data Protection Officer directly:
Mr. R.A.M. Houben
T: +31 (0)10 4036 376
3. Purpose of the data processing
HDI processes your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Dutch General Data Protection Regulation Implementation Act.
Furthermore, processing is effectuated in accordance with the Financial Institutions Incident Warning System Protocol and the current Code of Conduct for the Processing of Personal Data by Insurers, the Code of Conduct for Handling Personal Injury Claims and the Code of Conduct for the Disclosure of Medical Incidents, all prevailing in the Netherlands. You can find this Protocol and these Codes of Conduct on www.verzekeraars.nl
If you ask for a proposal for an insurance product, whether or not through a proposal form, we will ask you to state your personal data. It may concern the following personal data: first name, surname, date of birth, place of birth, nationality, sex, contact details (such as address, postcode, city/town, country, telephone numbers, e-mail addresses), job title, bank account number, driving licence number, registration plate number and vessel registration number. We need these data within the scope of the risk assessment we have to perform, for determining the insurance conditions and executing the client screening, and within the scope of the premium setting.
If you wish any risk to be covered by or via HDI, we need your data in order to be able to assess the risks offered within the scope of the insurance contract, to complete the client screening and to effectuate the insurance contract. Once the insurance contract has been effectuated, we will process your data within the scope of further execution of the insurance contract. There is data processing within the scope of risk inspection, invoicing, premium collection and premium return, adjustments, reinsurance contracts to be concluded by HDI and the execution thereof, as well as within the scope of contracts with brokers, contracts with principals, premium adjustments, customer relationship management, marketing activities, combating insurance fraud and other forms of insurance crime, statistical analyses, warranting the security and integrity of the financial sector, HDI and its employees, and in order to comply with statutory obligations. In this respect, HDI may process personal data regarding criminal convictions and criminal offences. Such processing is realized within the scope of effectuating and executing the insurance contract (client screening, fraud combat) and pursuant to binding statutory obligations
If you claim under your insurance for loss suffered, we may ask you to provide us with information about the loss and the event that caused it. We need these data in order to establish whether the event covered occurred, the cause of the loss, whether or not coverage under the insurance can lawfully be claimed and whether you have fulfilled your obligations under the insurance contract, which may have consequences for the amount of the damages to be paid or the coverage under the policy (for instance in the event of infringing your duty of disclosure when concluding the insurance contract or in the case of intentional and gross negligence in preventing the loss-causing event).
The data we process in the event of loss may also relate to health data (in the case of injury). These health data are primarily processed by the medical adviser. Only if execution of the insurance contract requires it, will HDI process the data. Those of our employees involved in the processing of health data have a duty of confidentiality.
It is not possible to conclude or execute an insurance contract without processing your personal data.
HDI processes your personal data for statistical purposes and in order to comply with requirements following from legislation and regulations. In this respect, we make use of all data we obtain from existing contracts to enable us, for instance, to evaluate customer relationships and insured risks.
Your personal data are also processed for the purpose of representing the legitimate interests of HDI and third parties (article 6.1.f of the GDPR). This processing is particularly important:
- Within the scope of IT and information security;
- To enable us to offer our insurance products;
- In order to warrant the security and integrity of the financial sector, for instance, by combating insurance fraud and other forms of insurance crime, and in order to fight corruption i.e. by means of data analyses. In this respect, HDI also, and particularly, observes the provisions of the Fraud Protocol of the Dutch Association of Insurers and the Financial Institutions Incident Warning System Protocol;
- Within the scope of performance monitoring and improvement.
4. Legal basis
The legal basis for the processing of your personal data obtained prior to the effectuation of an insurance contract as well as after it can be found in article 6.1.b of the GDPR. If you provide your personal data by means of a form such as the proposal form or the UBO form, the basis can be found in article 6.1.a of the GDPR.
If special categories of personal data are required for the effectuation of insurance contracts and/or their execution, we will always ask you for your explicit permission to process them, in accordance with article 9.2.a of the GDPR in conjunction with article 7 of the GDPR. This permission is not required for the processing of health data in so far as that processing is necessary for the execution of the insurance contract. In that case, processing is realized in accordance with the provisions of article 9.2.h of the GDPR in conjunction with section 30.3.b of the Dutch General Data Protection Regulation Implementation Act. In so far as we process these special categories of personal data for statistical purposes, processing is realized in accordance with the provisions of article 9.2.j of the GDPR.
Within the scope of effectuating and executing your insurance contract, HDI also processes personal data regarding criminal convictions and related criminal offences. This processing is realized in accordance with the provisions of article 10 of the GDPR in conjunction with sections 32.a, 32.c and 33.2 of the Dutch General Data Protection Regulation Implementation Act.
In so far as HDI processes your personal data for the purpose of representing the legitimate interests of HDI and third parties, processing is based on article 6.1.f of the GDPR.
In addition to the foregoing, processing of personal data is effectuated in order to comply with legal requirements, such as statutory requirements and civil and fiscal retention obligations. The legal basis for this processing is constituted by article 6.1.c of the GDPR.
5. Categories of recipients of personal data
HDI reinsures the risks it has insured. Effectuating and executing reinsurance contracts may require that the insurance contract you concluded with us, your claim notice and other personal data obtained from you are provided to reinsurers to enable them to assess the risk and any coverage under the reinsurance contract. Given its expertise, it is also possible that the reinsurer is requested to assist HDI in the assessment of risks offered and the handling of any disputes. We will only provide data to reinsurers in so far as necessary within the scope of execution of the insurance contract concluded with you or necessary to represent our legitimate interests.
If you engage a broker (an intermediary in non-life insurance policies) in the request for a proposal and/or for taking out insurance, the broker will act as Controller. There may be exchange of your personal data between HDI and your broker within the scope of proposals to be submitted and the effectuation and execution of your insurance contract. There may also be such exchange when the broker requests HDI for it in the interest of the provision of his services to you.
Data processing within the group
HDI-Gerling Verzekeringen N.V. and HDI Global SE, the Netherlands form part of the Talanx Group. Within the Talanx Group there are enterprises and entities charged with certain data processing operations. When you conclude an insurance contract with one or more enterprises within the Talanx Group, personal data obtained from you may be processed at a central level by an enterprise or entity within the Group in the interest of central processing of client data (such as name and address), insurance contracts, loss, premium collection and payment of claims, and within the scope of automated processes. HDI Global SE, the Netherlands is charged with claim settlements from HDI-Gerling Verzekeringen N.V., for instance. Furthermore, it may be necessary to exchange data for the purpose of an optimum execution of the insurance contract concluded with you.
It is possible that you take out an insurance via HDI with another insurer who has given us a power of attorney. It may be necessary to provide the insurer in question with the personal data obtained from you. We will only provide data to the extent that this is necessary in the context of the conclusion and execution of the insurance agreement concluded with you, the cooperation agreement concluded by HDI with principals, in order to comply with our statutory obligations or when this is necessary to protect our legitimate interests.
External service providers
We sometimes make use of external service providers to be able to comply with obligations from the insurance contract or statutory obligations. We may provide your personal data to those third parties. Through processor contracts, we make arrangements with those third parties about the use of your personal data.
Central Information System Foundation (Stichting CIS)
In connection with a responsible acceptance, risk and fraud policy, HDI may consult your data and record them in the Central Information System of insurance companies operating in the Netherlands: Stichting CIS, Bordewijklaan 2, 2591 XR The Hague, the Netherlands. By processing personal data through Stichting CIS, insurers and authorized agents are aiming at risk management and fraud control. For more information, visit www.stichtingcis.nl. You will also find the Privacy Regulations of Stichting CIS there.
Your personal data are also processed for the purpose of warranting the security and integrity of the financial sector, including the prevention and combating of insurance fraud and other forms of insurance crime. A personal screening may be performed if a fact-finding exercise fails to adequately answer the question as to what decision to make with regard to a specific proposal, current insurance contract, claim notice or other claim for payment or service related to an insurance policy, or in the event that a fact-finding exercise has led to a reasonable suspicion of insurance fraud or other forms of improper use of insurance products or services. A certified agency may be hired for this purpose. In the event of a personal screening, we observe the rules of the “Personal Screening Code of Conduct”. This Code of Conduct can be found on the website of the Dutch Association of Insurers www.verzekeraars.nl.
Personal data related to events that may be important to the security and integrity of the financial sector, HDI and its employees and, therefore, require special attention, may be included in an events register. Apart from an events register, HDI makes use of the incidents register and the external reference register. In the event of a fraud investigation, your data will be entered in the events register and possibly in the incidents register. If we have legitimate reason to believe that fraud has been committed, we will enter your data in the external reference index. This is the part of the incidents register which can be consulted by authorized staff members of other financial institutions. If HDI enters you in the external reference index, you will be notified personally. In that event, we will obviously process only the data necessary for the purpose. All processing operations are carried out in accordance with the Code of Conduct for the Processing of Personal Data by Insurers. This Code of Conduct can be found on the website of the Dutch Association of Insurers www.verzekeraars.nl.
Pursuant to the provisions of the Dutch Financial Supervision Act, HDI is obliged to keep a record of complaints. If you have filed a complaint with HDI, we will include your personal data in our record of complaints.
Insurance Bureau for Vehicle Crime
If we have agreed with you that your vehicle, work equipment and land-based equipment or your vessel will be entered in the register of the Insurance Bureau for Vehicle Crime in the event of loss of a vehicle, work equipment and land-based equipment or vessel so as to enhance the chances of recovery where registered, we will make your personal data including name, address, city/town, contact details and the registration plate of the relevant vehicle or the registration mark of the relevant vessel available to the Insurance Bureau for Vehicle Crime.
Other recipients of personal data
In so far as we are obliged by legislation and regulations to provide personal data, we will provide them to the relevant competent authorities. This may concern the provision of data to i.e. the tax authorities, the police, the Public Prosecution Service and supervisory authorities, such as in the Netherlands: the Authority for the Financial Markets AFM, the Dutch Central Bank DNB, the Data Protection Authority and the Consumer and Market Authority.
6. Retention period
We will keep your data as long as necessary in order to fulfil the aforementioned purposes for processing and/or as long as required by law. In principle, we use retention periods:
- 3 till 12 months in case there is no agreement concluded
- 5 till 10 years after the contract (no liability insurance) has been terminated
- 20 till 30 years after a contract (liability insurance) has been terminated
- 5 years after the final settlement of a claim
- 10 years after the final settlement of an injury claim
We may have a legitimate interests in some cases in retaining data for a longer period of time than specified. With a view to possible legal proceedings, personal data may be saved longer; the statutory limitation period is 3 years or even 30 years. Furthermore, personal data are saved longer where compliance with statutory obligations so requires. These obligations ensue in the Netherlands from, for instance, the Civil Code, The Financial Supervision Act, sanctions legislation and regulations, the State Taxes Act, the Turnover Tax Act and the Turnover Tax Implementation Decree, without being limited thereto. In that case, personal data will be saved for a period of ten years.
7. Your rights
You have the right to be informed on your personal data processed by HDI. Under certain conditions, you may request HDI to correct, complement or delete the personal data processed. Furthermore, you have the right to limit processing in certain cases. In certain cases, you may obtain the personal data you provided to HDI in a structured, current and machine-readable format. If you wish to exercise your rights and/or file a complaint against the way in which your data are processed, please contact our Data Protection Officer.
If you have a complaint with regard to the processing of your personal data by HDI, please address it to:
HDI Global SE, the Netherlands / HDI-Gerling Verzekeringen N.V.
Compliance & Security Department
Att. the Data Protection Officer
P.O. Box 925
3000 AX Rotterdam
If you disagree with HDI’s handling of your complaint, you can file a complaint with the Dutch Financial Services Complaints Board:
Stichting Klachteninstituut Financiële Dienstverlening (“Kifid”)
P.O. Box 93257
2509 AG The Hague
You can also file a complaint directly with the supervisory authority.
9. Supervisory authority
The Dutch Data Protection Authority:
2594 AV The Hague
P.O. Box 93374
2509 AJ The Hague
10. Provision of data to third countries
We exclusively provide personal data to service providers outside the European Economic Area (EEA) if the European Commission guarantees a proper level of protection or if appropriate guarantees are offered, such as binding operating regulations and the use of standard data protection provisions determined or approved by the European Commission. Questions about personal data processing in a third country may be addressed to our Data Protection Officer.
11. New developments
We would like to point out to you that we may change this Privacy Statement unilaterally from time to time. You can find the most recent version on our website. We recommend you to look at our Privacy Statement regularly.